7 best practices for AWS audit logs: Setup, retention, and actual usefulness

Audit logs are evidence. They answer "who changed what and when." CloudTrail captures API calls. You configure it, it logs, you analyze. Compliance demands it. Good operations requires it.

Enable CloudTrail (multi-region)

Enable CloudTrail in every region. One console setting captures API calls across all services everywhere.

Send logs to S3. CloudTrail writes to bucket. Configure lifecycle to move old logs to Glacier. Set MFA delete to prevent accidental deletion.

Enable log file validation. Prevents tampering. CloudTrail can verify integrity.

Use organization trails

If you have multiple AWS accounts, use CloudTrail Organizations. One trail, all accounts. Solves cross-account visibility.

Central logging account receives all logs. Reduces noise, improves auditability.

Filter intelligently

CloudTrail logs everything. Thousands of events per day. You need to know what matters.

Use CloudWatch Events to filter interesting events. Security group changes. IAM role changes. Unauthorized API calls. Route those to SNS or Lambda for immediate action.

Ignore noise. DescribeInstances, GetUser, etc. are called constantly. Create alarms only for changes.

Monitor and alert

CloudWatch Log Insights can query logs. "Show me all IAM policy changes in the last 24 hours."

Athena can query S3 logs directly. Build queries for compliance reporting.

Alerts: unauthorized API calls, privilege escalation, data deletion. These should trigger immediately.

Retention and cost

Logs add up. Keep 90 days hot, move older logs to Glacier. Delete after 1-3 years depending on compliance requirements.

Cost scales with volume. A busy system might generate 100GB/month. Filtering and intelligent retention saves money.

Compliance requirements

Financial services: 7 years retention.

GDPR: Log access to personal data.

HIPAA: Log access to health data.

PCI DSS: Log network access attempts.

Document your log retention and alerting strategy for auditors.

Where Critical Cloud comes in

Logs are useful only if you actually read them. Most teams collect logs and never look. Alerts are noise. Queries are too complex.

We're a Powered by Datadog accredited partner. We normalize your CloudTrail logs, filter the noise, and surface only what matters. Security events, compliance-relevant changes, cost anomalies.

If audit logs feel overwhelming or you're not sure they're working, see how Critical Support works.