Audit Logging Setup

CloudTrail captures every AWS API call with caller identity, timestamp, source IP, and parameters. VPC Flow Logs record network traffic metadata. We configure organization-level CloudTrail with management and data events, delivered to a centralized S3 bucket in a log archive account. CloudTrail log file integrity validation ensures logs have not been tampered with. For multi-cloud, we add GCP Audit Logs and Azure Activity Logs with centralized aggregation.

Infrastructure logs show API calls — application logs show business actions. We implement structured audit logging in your application: user login/logout, permission changes, data creation/modification/deletion, configuration changes, and API key management. Each audit event includes: actor identity, action type, target resource, timestamp, source IP, and outcome (success/failure). Log format is standardized JSON for consistent querying across all systems.

Audit logs are worthless if they can be modified or deleted. We store logs in append-only storage: S3 with Object Lock in Compliance mode, or a dedicated log archive account with SCPs preventing log deletion. Log file integrity is verified via CloudTrail digest files or custom hash chains. The log archive account has no cross-account admin access — even if your production account is compromised, audit logs remain intact and admissible as evidence.

Logs are indexed in OpenSearch, Loki, or CloudWatch Logs Insights for sub-second queries across billions of events. Saved queries cover common audit scenarios: "show all actions by user X in the last 30 days," "show all data deletion events," "show all failed authentication attempts." Real-time alerts trigger on high-risk events: privilege escalation, bulk data access, access from unusual geolocations. Retention follows compliance requirements: 1 year for SOC 2, 6 years for HIPAA, 1 year for PCI DSS.