Security Compliance

Streaming Security Audit Trail with Apache Iceberg

Stream database changes and security events into Apache Iceberg audit tables using SQL. RisingWave processes CDC and Kafka event streams in real time, writing enriched audit records to Iceberg for tamper-evident, long-term compliance storage.

Start FreeIceberg Streaming
Real-Time
Audit Ingestion
Database changes and security events written to Iceberg audit tables within seconds of the source event, with no batch ETL window
Immutable
Audit Records
Iceberg append-only tables store audit records with tamper-evident snapshot history. Query the full history via Spark or Trino at any compliance checkpoint
SQL
Audit Pipeline
Define what to audit, how to enrich records, and where to write them using standard SQL in RisingWave without custom audit pipeline code
SOC 2 / GDPR
Compliance Ready
Query the complete audit history in SQL to produce compliance evidence for SOC 2, GDPR data access logs, PCI DSS cardholder activity records, and HIPAA audit requirements

Why Streaming Audit

Why do compliance audit trails require streaming ingestion into Iceberg?

Batch-based audit pipelines collect events periodically, leaving gaps in coverage and introducing hours of latency between a security event and its audit record. Streaming ingestion writes audit records to Iceberg within seconds, ensuring complete coverage, consistent timestamps, and no batch windows where events can be lost or delayed.

FactorBatch PipelineRisingWave
Audit LatencyHours (batch ETL)Seconds (streaming)
Coverage GapsEvents lost between batch runsComplete per-event coverage
Historical QueriesExport + reprocess for time rangeIceberg snapshots queryable via Spark or Trino
EnrichmentPost-hoc join in data warehouseReal-time stream-table join
  • Write database changes and security events to Iceberg audit tables within seconds using CDC streaming
  • Enrich audit records at ingestion time with user context, resource metadata, and policy labels using SQL stream-table joins
  • Query the complete audit history via Spark or Trino against Iceberg snapshots without exporting data
  • Demonstrate continuous monitoring to auditors with immutable Iceberg records that cannot be altered after write

Use Cases

What compliance audit scenarios does streaming Iceberg ingestion support?

Any compliance requirement that needs a complete, timestamped record of who accessed or changed what data. SOC 2 access logs, GDPR data subject activity, PCI DSS cardholder data access, and HIPAA audit trails all require continuous coverage that streaming ingestion provides and batch pipelines cannot.

Database Change Audit (CDC)

Stream every INSERT, UPDATE, and DELETE from PostgreSQL or MySQL into Iceberg audit tables using RisingWave CDC sources. Each change is written with timestamp, user, table, and before/after values, forming a complete change history queryable with SQL

Privileged Access Monitoring

Stream authentication and authorization events from identity providers into Iceberg, enriched with resource sensitivity labels from a reference table join. Query the Iceberg table to produce privileged access reports for SOC 2 user access reviews

Data Subject Activity for GDPR

Capture all reads and writes to personal data tables via CDC into an Iceberg audit log partitioned by data subject ID. Respond to GDPR Article 15 data subject access requests and Article 30 processing records using SQL queries on the Iceberg audit table

PCI DSS Cardholder Data Access

Stream all access to cardholder data tables into an Iceberg audit trail enriched with merchant, terminal, and user context. Query the 12-month access history required for PCI DSS Requirement 10 via Spark or Trino against the Iceberg audit table

How It Works

How does RisingWave stream security events into Iceberg audit tables?

RisingWave ingests database change events via CDC and security events from Kafka, enriches them with contextual metadata using stream-table joins, and continuously writes the enriched audit records to Apache Iceberg tables on S3-compatible object storage. The Iceberg audit table is immediately queryable via Spark, Trino, or Flink, with snapshot history covering every write since ingestion began.

  • Connect RisingWave to your PostgreSQL or MySQL databases as CDC sources to capture every row-level change event in real time
  • Create Kafka sources in RisingWave for authentication logs, API access events, and security telemetry streams
  • Define an enrichment materialized view using SQL stream-table joins to add user context, resource classification, and policy labels to each raw event
  • Create an Iceberg sink in RisingWave pointing to your S3 bucket, writing enriched audit records to partitioned Iceberg tables as events arrive
  • Query the Iceberg audit table via Spark or Trino to reconstruct the state of any record at any point in the compliance period using Iceberg snapshot history

Frequently Asked Questions

How do I build a compliant security audit trail using Apache Iceberg?
How do I query the Iceberg audit trail for historical compliance evidence?
How does streaming CDC differ from trigger-based database auditing?
Can the Iceberg audit trail cover multiple databases and event sources?

Build a complete, queryable audit trail in real time

Stream database changes and security events into Apache Iceberg using SQL and start producing compliance evidence without batch ETL pipelines.

Start Free
Best-in-Class Event Streaming
for Agents, Apps, and Analytics
Start Free
SlackJoin our Slack
GitHubXLinkedInSlackYouTube
Sign up for our to stay updated.