AWS Audit Artifacts Archives - AWS Security Architect

AWS Audit Artifacts

anuj varma — Fri, 24 Oct 2025 15:44:17 +0000

AWS Patterns for Storing Audit Artifacts

What counts as “audit artifacts”?

Logs, configuration histories, change approvals, vulnerability & security findings, backup reports, evidence exports (e.g., screenshots/CSVs), and third-party attestation documents.

Proven Storage Pattern (Backbone)

Central S3 “evidence” bucket in a dedicated Audit/Log Archive account:
- Enable Versioning, S3 Object Lock (Compliance mode), SSE-KMS (customer-managed key), and Block Public Access.
- Route writes via VPC Gateway Endpoints (no internet); enable Server Access Logging or S3 Access Logs.
- Set Lifecycle rules to transition to Glacier / Glacier Deep Archive for long-term retention.
Integrity: Turn on CloudTrail log file integrity validation; consider Glacier Vault Lock and AWS Backup Vault Lock for immutability.
Access control: Tight bucket policies, SCPs, least-privilege IAM, and KMS key policies scoped to the audit team.

How to Generate & Ingest the Artifacts

Artifact type	AWS producer service(s)	Where to store	Audit-helpful notes
API activity logs	AWS CloudTrail (org-level trail + data events as needed)	S3 evidence bucket (+ optional CloudTrail Lake)	Enable integrity validation; retain for your policy (e.g., 7 years).
Config snapshots & change history	AWS Config (recorder + conformance packs)	S3 evidence bucket	Conformance pack results map cleanly to frameworks.
Network traffic logs	VPC Flow Logs, ALB/NLB logs, CloudFront, WAF	S3 evidence bucket	Partition prefixes for Athena (account/region/service/date).
OS/app logs	CloudWatch Logs (EC2/EKS/Lambda)	Export to S3 (subscription/export)	Use OpenSearch for investigations; S3 for durable retention.
Security findings	Security Hub, GuardDuty, Inspector, Macie, IAM Access Analyzer	Export to S3 (EventBridge/Lambda)	Store raw findings + rolled-up Security Hub reports.
Changes/approvals/runs	SSM Change Manager, SSM Automation, CodePipeline	Export execution records/artifacts to S3	Change tickets tied to runbook executions.
Backups & reports	AWS Backup + Backup Audit Manager	S3 + Backup Vault Lock	Immutable compliance reports + job histories.
Kubernetes audit logs	EKS audit log categories → CloudWatch Logs	Export to S3	Include control-plane & authenticator logs.
Database activity	RDS/Aurora logs; CloudTrail data events (S3/DynamoDB)	S3 evidence bucket	Enable enhanced monitoring / Performance Insights as required.
Third-party attestations	AWS Artifact (SOC/ISO/PCI)	Upload PDFs to S3	Alongside each PDF, store a JSON metadata sidecar (hash, date, owner).
Manual evidence	AWS Audit Manager (manual uploads)	Stored by Audit Manager (backed by S3)	Automatically ties evidence to controls/assessments.

Make It Audit-Friendly (Controls & Integrity)

Immutability

S3 Object Lock – Compliance mode (per bucket/object).
Glacier Vault Lock (if using separate vaults).
AWS Backup Vault Lock for backup immutability.

Encryption

SSE-KMS with customer-managed keys.
Separate keys for logs vs sensitive evidence.
Tight KeyPolicy + grants; rotate per policy.

Provenance

Org-level CloudTrail + digest files (integrity).
Bucket policies restricting PutObject to AWS services with aws:SourceArn / aws:SourceAccount.
Deny direct writes from the internet; require VPC endpoints.

Retention

S3 lifecycle tiers → Glacier/Deep Archive.
Use Object Lock retention and legal holds when required.

Discoverability

Glue Data Catalog tables over S3 prefixes.
Query with Amazon Athena.
Optional Lake Formation for fine-grained read perms.

Automate Evidence Collection & Mapping

AWS Audit Manager: Build assessments mapped to CIS/ISO/NIST/PCI; ingests evidence from CloudTrail, Config, Security Hub; attach manual artifacts; export assessment reports to S3.
EventBridge rules + Lambda: Nightly/weekly exports (Security Hub, Backup reports, IAM credential report) into dated S3 prefixes, e.g.:
s3://evidence/org=acme/svc=securityhub/yr=2025/mo=10/dy=21/…

Reference Target Architecture (Quick Steps)

Create Log Archive/Audit account; centralized S3 evidence bucket with versioning + Object Lock.
Enable org-level CloudTrail to that bucket; turn on integrity validation.
Turn on AWS Config (all regions/accounts) with delivery to the bucket.
Aggregate security signals with Security Hub (org level) and export findings to S3.
Standardize CloudWatch Logs → S3 exports for app/OS/EKS audit logs.
Enable AWS Backup + Backup Audit Manager; enforce Vault Lock.
Stand up Audit Manager assessments mapped to frameworks; schedule evidence exports.
Add Glue + Athena for queries; apply Lake Formation permissions.
Apply SCPs that prevent disabling CloudTrail/Config; deny S3 deletes that bypass Object Lock.
Document owners, retention, retrieval SOP; run quarterly restore/query drills.

Copy-Paste Checklist

The post AWS Audit Artifacts appeared first on AWS Security Architect.