Loki stores centralized logs and usually receives data from many agents/tenants.
- Restrict ingestion endpoints to trusted agents (Promtail, Alloy, etc.).
- Use TLS and auth between shippers and Loki.
- Enforce tenant separation and label controls in multi-tenant setups.
¶ Storage and Access Controls
- Protect object storage and index backends with least privilege IAM.
- Restrict query API and Grafana datasource access by role.
- Audit access to high-sensitivity log streams.