Accounting (AAA)
What is Accounting (AAA)?
Accounting (AAA)The third pillar of the AAA framework: recording what an authenticated identity did, when, from where and to which resources, for audit and billing purposes.
Accounting in the AAA model (Authentication, Authorization, Accounting) captures and stores activity records that link every action back to a verified identity, providing the evidence needed for security monitoring, forensic investigation, compliance and chargeback. Typical accounting data includes login and logout events, sessions, commands executed, bytes transferred and resources accessed. Protocols like RADIUS, TACACS+ and Diameter define how network devices send accounting records to centralized servers, while modern stacks aggregate them in SIEM and audit log platforms. Strong accounting requires tamper-resistant storage, accurate time synchronization and retention aligned with legal and regulatory requirements.
Standardised accounting predates modern observability. RADIUS accounting (RFC 2866) defines Accounting-Request packets whose Acct-Status-Type is Start, Interim-Update or Stop, carrying session duration and Acct-Input/Output-Octets; TACACS+ (RFC 8907) separates accounting from authentication and authorization so command-level auditing on routers can be logged independently; and Diameter (RFC 6733) modernises the model for mobile and IMS networks. In the cloud, services such as AWS CloudTrail, Azure Activity Log and Google Cloud Audit Logs play the same role, recording every control-plane API call with caller identity, source IP and timestamp.
Accounting underpins non-repudiation: because each record is bound to an authenticated identity, a user cannot credibly deny an action. Regulations make it mandatory — PCI DSS Requirement 10 demands logging of all access to cardholder data, and NIST SP 800-92 (Guide to Computer Security Log Management) gives the canonical implementation guidance. Because attackers routinely clear logs to cover their tracks (MITRE ATT&CK T1070, Indicator Removal), robust accounting ships records off-host in near-real time to WORM or append-only storage, signs or hash-chains them for integrity, and synchronises clocks with NTP so events across systems can be correlated during incident response.
flowchart LR U[User / device] -->|action| N[Network device or app] N -->|Accounting-Request RADIUS / TACACS+| S[AAA server] S --> L[(Tamper-resistant log store)] L --> M[SIEM correlation] M --> R[Audit / billing / forensics]
● Examples
- 01
RADIUS accounting records for VPN session start, stop and total bytes used.
- 02
Cloud audit logs that capture every API call with caller identity and source IP.
● Frequently asked questions
What is Accounting (AAA)?
The third pillar of the AAA framework: recording what an authenticated identity did, when, from where and to which resources, for audit and billing purposes. It belongs to the Identity & Access category of cybersecurity.
What does Accounting (AAA) mean?
The third pillar of the AAA framework: recording what an authenticated identity did, when, from where and to which resources, for audit and billing purposes.
How do you defend against Accounting (AAA)?
Defences for Accounting (AAA) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Accounting (AAA)?
Common alternative names include: Auditing, Audit logging.