VPC Flow Log Support for Audit Log Streaming
H
Henna Abbas
Summary:
Enable CircleCI to include network-level flow data (VPC flow logs) as part of its Audit Log streaming capability, allowing security teams to monitor and audit outbound network activity from CI pipeline jobs.
Problem:
CircleCI's current Audit Log streaming captures user actions and pipeline events, but provides no visibility into network-level activity occurring during job execution. When a security incident involves a compromised tool or dependency (e.g., a supply chain attack), security teams have no way to detect or investigate suspicious outbound connections made during CI runs directly from CircleCI's audit data.
Proposed Solution:
Extend CircleCI's Audit Log streaming to include VPC flow log data — capturing network traffic metadata (source/destination IPs, ports, protocols, bytes transferred, allow/deny decisions) for jobs running in CircleCI's infrastructure. This data should be streamable to customer-owned destinations such as S3, Splunk, Datadog, or other SIEM tools.
Use Cases:
- Detecting data exfiltration attempts during CI job execution
- Investigating security incidents involving compromised build tools or dependencies
- Meeting compliance requirements (SOC 2, ISO 27001, FedRAMP) that mandate network-level audit trails
- Correlating CircleCI job activity with a customer's own VPC flow logs
Expected Outcome:
Security and compliance teams can stream and query network-level activity from CircleCI jobs alongside existing audit log events, enabling faster incident detection and response.