Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.2.1. Log Sources, Ingestion, and Storage

First Principle: Every security-relevant action in AWS generates a log somewhere. The challenge isn't generating logs — it's identifying which sources matter, ingesting them reliably, and storing them cost-effectively for the required retention period.

Primary AWS Log Sources:
Log SourceWhat It CapturesDefault Storage
CloudTrailAPI calls (who did what, when)S3 (90-day free history in console)
VPC Flow LogsNetwork traffic metadata (IPs, ports, bytes)CloudWatch Logs or S3
CloudWatch LogsApplication logs, OS logs, service logsCloudWatch Logs
S3 access logsBucket-level access recordsS3 (separate bucket)
ELB access logsRequest-level load balancer logsS3
WAF logsWeb request details with rule match infoS3, CloudWatch Logs, or Kinesis
Route 53 Resolver logsDNS query logsCloudWatch Logs or S3
Storage Architecture Decisions:
  • Hot storage (CloudWatch Logs): Real-time querying, higher cost per GB, automatic index
  • Warm storage (S3 Standard): Queryable with Athena, moderate cost, requires setup
  • Cold storage (S3 Glacier): Compliance archival, lowest cost, retrieval takes minutes-hours
  • Analytics-optimized (Security Lake): OCSF-normalized, Iceberg tables, purpose-built for security

⚠️ Exam Trap: CloudTrail's free 90-day event history is viewable in the console but NOT suitable for compliance. For compliance and forensics, you must create a Trail that delivers logs to S3 with immutability protections (Object Lock, bucket policy preventing deletion).

Scenario: A healthcare company needs to retain CloudTrail logs for 7 years (HIPAA requirement) while also enabling real-time analysis for incident response. You design a dual-destination Trail: S3 with Glacier lifecycle for long-term retention, and CloudWatch Logs for real-time querying.

Reflection Question: Why does a well-designed logging architecture use multiple storage tiers rather than a single destination?

Alvin Varughese
Written byAlvin Varughese
Founder15 professional certifications