In the FWaaS service, create the ability for administrators to engage an 'audit trail' feature. The audit trail would notate every change to firewalls that causes a security change. The output would be to the notification queue.
Audit notations should contain all information necessary to process them. For example, an audit notation that says "user abcde1234 permitted port 22 traffic from firewall group A to firewall group B" is not enough information. In order to determine what needs to be scanned, the consumer of the audit would need to subsequently query FWaaS to determine the membership of the 2 firewall groups cited. Notations should carry enough information so that no subsequent querying is required for processing.
The notification should encompass all of:
- Who: Identity of the user initiating the change.
- What: The information on what was changed. Should include port information, whether access was permitted or disallowed, etc.
- Where: A list of all affected ports/IP addresses/instances, grouped by connection origin/destination. This could be abbreviated to indicate an entire tenant if that is the target.
- When: Timestamp indicating when the change was initiated.
Use case: This would allow a customer's security group to subscribe to a collated feed of all security events in order to detect those events that should trigger an audit or vulnerability scan.
Presumably, the deletion of firewalls would also cause a notification to be emitted. That's not explicit above, but I believe implied.