AWS Audit Artifacts
AWS Patterns for Storing Audit Artifacts
What counts as “audit artifacts”?
Logs, configuration histories, change approvals, vulnerability & security findings, backup reports, evidence exports (e.g., screenshots/CSVs), and third-party attestation documents.
Proven Storage Pattern (Backbone)
- Central S3 “evidence” bucket in a dedicated Audit/Log Archive account:
- Enable Versioning, S3 Object Lock (Compliance mode), SSE-KMS (customer-managed key), and Block Public Access.
- Route writes via VPC Gateway Endpoints (no internet); enable Server Access Logging or S3 Access Logs.
- Set Lifecycle rules to transition to Glacier / Glacier Deep Archive for long-term retention.
- Integrity: Turn on CloudTrail log file integrity validation; consider Glacier Vault Lock and AWS Backup Vault Lock for immutability.
- Access control: Tight bucket policies, SCPs, least-privilege IAM, and KMS key policies scoped to the audit team.
How to Generate & Ingest the Artifacts
| Artifact type | AWS producer service(s) | Where to store | Audit-helpful notes |
|---|---|---|---|
| API activity logs | AWS CloudTrail (org-level trail + data events as needed) | S3 evidence bucket (+ optional CloudTrail Lake) | Enable integrity validation; retain for your policy (e.g., 7 years). |
| Config snapshots & change history | AWS Config (recorder + conformance packs) | S3 evidence bucket | Conformance pack results map cleanly to frameworks. |
| Network traffic logs | VPC Flow Logs, ALB/NLB logs, CloudFront, WAF | S3 evidence bucket | Partition prefixes for Athena (account/region/service/date). |
| OS/app logs | CloudWatch Logs (EC2/EKS/Lambda) | Export to S3 (subscription/export) | Use OpenSearch for investigations; S3 for durable retention. |
| Security findings | Security Hub, GuardDuty, Inspector, Macie, IAM Access Analyzer | Export to S3 (EventBridge/Lambda) | Store raw findings + rolled-up Security Hub reports. |
| Changes/approvals/runs | SSM Change Manager, SSM Automation, CodePipeline | Export execution records/artifacts to S3 | Change tickets tied to runbook executions. |
| Backups & reports | AWS Backup + Backup Audit Manager | S3 + Backup Vault Lock | Immutable compliance reports + job histories. |
| Kubernetes audit logs | EKS audit log categories → CloudWatch Logs | Export to S3 | Include control-plane & authenticator logs. |
| Database activity | RDS/Aurora logs; CloudTrail data events (S3/DynamoDB) | S3 evidence bucket | Enable enhanced monitoring / Performance Insights as required. |
| Third-party attestations | AWS Artifact (SOC/ISO/PCI) | Upload PDFs to S3 | Alongside each PDF, store a JSON metadata sidecar (hash, date, owner). |
| Manual evidence | AWS Audit Manager (manual uploads) | Stored by Audit Manager (backed by S3) | Automatically ties evidence to controls/assessments. |
Make It Audit-Friendly (Controls & Integrity)
Immutability
- S3 Object Lock – Compliance mode (per bucket/object).
- Glacier Vault Lock (if using separate vaults).
- AWS Backup Vault Lock for backup immutability.
Encryption
- SSE-KMS with customer-managed keys.
- Separate keys for logs vs sensitive evidence.
- Tight KeyPolicy + grants; rotate per policy.
Provenance
- Org-level CloudTrail + digest files (integrity).
- Bucket policies restricting PutObject to AWS services with
aws:SourceArn/aws:SourceAccount. - Deny direct writes from the internet; require VPC endpoints.
Retention
- S3 lifecycle tiers → Glacier/Deep Archive.
- Use Object Lock retention and legal holds when required.
Discoverability
- Glue Data Catalog tables over S3 prefixes.
- Query with Amazon Athena.
- Optional Lake Formation for fine-grained read perms.
Automate Evidence Collection & Mapping
- AWS Audit Manager: Build assessments mapped to CIS/ISO/NIST/PCI; ingests evidence from CloudTrail, Config, Security Hub; attach manual artifacts; export assessment reports to S3.
- EventBridge rules + Lambda: Nightly/weekly exports (Security Hub, Backup reports, IAM credential report) into dated S3 prefixes, e.g.:
s3://evidence/org=acme/svc=securityhub/yr=2025/mo=10/dy=21/…
Reference Target Architecture (Quick Steps)
- Create Log Archive/Audit account; centralized S3 evidence bucket with versioning + Object Lock.
- Enable org-level CloudTrail to that bucket; turn on integrity validation.
- Turn on AWS Config (all regions/accounts) with delivery to the bucket.
- Aggregate security signals with Security Hub (org level) and export findings to S3.
- Standardize CloudWatch Logs → S3 exports for app/OS/EKS audit logs.
- Enable AWS Backup + Backup Audit Manager; enforce Vault Lock.
- Stand up Audit Manager assessments mapped to frameworks; schedule evidence exports.
- Add Glue + Athena for queries; apply Lake Formation permissions.
- Apply SCPs that prevent disabling CloudTrail/Config; deny S3 deletes that bypass Object Lock.
- Document owners, retention, retrieval SOP; run quarterly restore/query drills.
Copy-Paste Checklist
- S3 evidence bucket (versioning, Object Lock, KMS, lifecycle)
- Org CloudTrail (+ data events where in scope) & integrity validation
- AWS Config (all regions/accounts) + conformance packs
- Security Hub/GuardDuty/Inspector/Macie enabled & exported
- CloudWatch Logs export jobs defined (EC2/EKS/Lambda)
- AWS Backup + Vault Lock + Audit Manager reports to S3
- Audit Manager assessments for your frameworks
- Glue/Athena schemas over S3 prefixes
- SCPs + bucket policies + VPC endpoints + access reviews
- Quarterly evidence retrieval drill
Leave a Reply