So far we've covered what to log (CloudTrail, Config, Flow Logs, Resolver). Today we cover how to store logs trustworthily. Audit log value depends on three properties: integrity (not tampered), availability and retention (exists when needed), confidentiality (authorized access only). Both attackers and malicious insiders target logs — to erase breach traces. The security peak: "making logs impossible even for their creator to erase."
Log storage design starts from clear threat model: 1