AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation low

File: prescriptive-guidance/latest/security-reference-architecture/log-archive.md

Summary

Updated log archive guidance with CloudWatch Unified Data Experience as primary option, added centralized log collection section, enhanced security controls for S3/Security Lake, and restructured content with implementation examples.

Security assessment

Changes focus on architectural improvements and security best practices (e.g., S3 public access blocking, IAM/SCP restrictions, encryption, detective controls) but lack evidence of addressing specific vulnerabilities. Adds documentation for security features like S3 Object Lock, KMS encryption, and access monitoring.

Diff

diff --git a/prescriptive-guidance/latest/security-reference-architecture/log-archive.md b/prescriptive-guidance/latest/security-reference-architecture/log-archive.md
index 3c2c6b0cb..19fd12891 100644
--- a//prescriptive-guidance/latest/security-reference-architecture/log-archive.md
+++ b//prescriptive-guidance/latest/security-reference-architecture/log-archive.md
@@ -7 +7 @@
-Types of logsAmazon S3 as central log storeAmazon Security Lake
+Types of logsAmazon S3 as central log storeAmazon Security LakeCentralized log collectionAmazon CloudWatch Unified Data Experience
@@ -11,3 +10,0 @@ Types of logsAmazon S3 as central log storeAmazon Security Lake
-Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a [short survey](https://amazonmr.au1.qualtrics.com/jfe/form/SV_e3XI1t37KMHU2ua).  
----  
-  
@@ -16 +13 @@ The following diagram illustrates the AWS security services that are configured
-![Security services in the Log Archive account.](/images/prescriptive-guidance/latest/security-reference-architecture/images/log-archive-acct.png)
+![Security services in the Log Archive account.](/images/prescriptive-guidance/latest/security-reference-architecture/images/guide-img/91d313fc-d5f1-45a8-a5a6-2f4fc7abc93a/images/664aad4f-2aa6-458a-b8a4-57992a45c041.png)
@@ -20 +17,5 @@ The Log Archive account is dedicated to ingesting and archiving all security-rel
-###### Design consideration
+**Design consideration:**
+
+  * Operational log data used by your infrastructure, operations, and workload teams often overlaps with the log data used by security, audit, and compliance teams. We recommend that you consolidate your operational log data into the Log Archive account. Based on your specific security and governance requirements, you might need to filter operational log data saved to this account. You might also need to specify who has access to the operational log data in the Log Archive account.
+
+
@@ -22 +22,0 @@ The Log Archive account is dedicated to ingesting and archiving all security-rel
-Operational log data used by your infrastructure, operations, and workload teams often overlaps with the log data used by security, audit, and compliance teams. We recommend that you consolidate your operational log data into the Log Archive account. Based on your specific security and governance requirements, you might need to filter operational log data saved to this account. You might also need to specify who has access to the operational log data in the Log Archive account.
@@ -44 +44,5 @@ For a deeper discussion of security best practices for S3 buckets, see the [Amaz
-###### Implementation example
+**Implementation example:**
+
+  * The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of [Amazon S3 block account public access](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/s3/s3_block_account_public_access). This module blocks Amazon S3 public access for all existing and future accounts in the AWS organization.
+
+
@@ -46 +49,0 @@ For a deeper discussion of security best practices for S3 buckets, see the [Amaz
-The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference-architecture-examples) provides a sample implementation of [Amazon S3 block account public access](https://github.com/aws-samples/aws-security-reference-architecture-examples/blob/main/aws_sra_examples/solutions/s3/s3_block_account_public_access). This module blocks Amazon S3 public access for all existing and future accounts in the AWS organization.
@@ -50 +53,3 @@ The [AWS SRA code library](https://github.com/aws-samples/aws-security-reference
-AWS SRA recommends that you use the Log Archive account as the delegated administrator account for Amazon Security Lake. When you do this, Security Lake collects supported logs in dedicated S3 buckets in the same account as other SRA-recommended security logs.
+Organizations with existing [Amazon Security Lake](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html) deployments or specific requirements for subscriber-based data access patterns, Security Lake remains a supported option. 
+
+The AWS SRA recommends that you use the Log Archive account as the delegated administrator account for Security Lake. When you do this, Security Lake collects supported logs in dedicated S3 buckets in the same account as other SRA-recommended security logs.
@@ -52 +57 @@ AWS SRA recommends that you use the Log Archive account as the delegated adminis
-To protect the availability of the logs and the log management process, the S3 buckets for Security Lake should be accessed only by the Security Lake service or by IAM roles that are managed by Security Lake for sources or subscribers. In addition to using preventive controls―such as assigning least-privilege roles for access, and encrypting logs with a controlled AWS KMS key―use detective controls such as AWS Config to monitor (and alert and remediate) this collection of permissions for unexpected changes.
+To protect the availability of the logs and the log management process, the S3 buckets for Security Lake should be accessed only by the Security Lake service or by IAM roles that are managed by Security Lake for sources or subscribers. In addition to using preventive controls―such as assigning least-privilege roles for access, and encrypting logs with a controlled AWS Key Management Service (AWS KMS) key―use detective controls such as AWS Config to monitor, alert, and remediate this collection of permissions for unexpected changes. 
@@ -54 +59 @@ To protect the availability of the logs and the log management process, the S3 b
-The Security Lake administrator can enable log collection across your AWS organization. These logs are stored in regional S3 buckets in the Log Archive account. Additionally, to centralize logs and facilitate easier storage and analysis, the Security Lake administrator can choose one or more rollup Regions where logs from all the regional S3 buckets are consolidated and stored. Logs from supported AWS services are automatically converted into a standardized open-source schema called Open Cybersecurity Schema Framework (OCSF) and saved in Apache Parquet format in Security Lake S3 buckets. With OCSF support, Security Lake efficiently normalizes and consolidates security data from AWS and other enterprise security sources to create a unified and reliable repository of security-related information.
+The Security Lake administrator can enable log collection across your AWS organization. These logs are stored in regional S3 buckets in the Log Archive account. Additionally, to centralize logs and facilitate easier storage and analysis, the Security Lake administrator can choose one or more rollup Regions where logs from all the regional S3 buckets are consolidated and stored. Logs from supported AWS services are automatically converted into OCSF and saved in Apache Parquet format in Security Lake S3 buckets. With OCSF support, Security Lake efficiently normalizes and consolidates security data from AWS and other enterprise security sources to create a unified and reliable repository of security-related information. 
@@ -60 +65,17 @@ AWS Security Hub CSPM is a supported native data source in Security Lake, and yo
-To gain visibility and actionable insights from logs and events, you can query the data by using tools such as [Amazon Athena](https://docs.aws.amazon.com/athena/latest/ug/what-is.html), [Amazon OpenSearch Service](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/what-is.html), [Amazon Quick](https://docs.aws.amazon.com/quicksuite/latest/userguide/what-is.html), and third-party solutions. Users who require access to the Security Lake log data shouldn't access the Log Archive account directly. They should access data only from the Security Tooling account. Or they can use other AWS accounts or on-premises locations that provide analytics tools such as OpenSearch Service, Quick, or third-party tools such as security information and event management (SIEM) tools. To provide access to the data, the administrator should configure [Security Lake subscribers](https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-management.html) in the Log Archive account and configure the account that needs access to the data as a [query access subscriber](https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-query-access.html). For more information, see [Amazon Security Lake](./security-tooling.html#tool-security-lake) in the _Security OU ‒ Security Tooling account_ section of this guide.
+To gain visibility and actionable insights from logs and events, you can query the data by using tools such as Amazon Athena, Amazon OpenSearch Service, Amazon Quick, and third-party solutions. Users who require access to the Security Lake log data shouldn't access the Log Archive account directly. They should access data only from the Security Tooling account. Or they can use other AWS accounts or on-premises locations that provide analytics tools such as OpenSearch Service, Quick, or third-party tools such as security information and event management (SIEM) tools. To provide access to the data, the administrator should configure Security Lake subscribers in the Log Archive account and configure the account that needs access to the data as a query access subscriber. For more information, see [Amazon Security Lake](./security-tooling.html#tool-security-lake) in the _Security OU ‒ Security Tooling_ account section of this guide. 
+
+Security Lake provides an AWS managed policy to help you manage administrator access to the service. As a best practice, we recommend that you restrict the configuration of Security Lake through development pipelines and prevent configuration changes through the AWS Management Console or the AWS Command Line Interface (AWS CLI). Additionally, you should set up strict IAM policies and service control policies (SCPs) to provide only necessary permissions to manage Security Lake. You can configure notifications to detect any direct access to these Amazon S3 buckets. 
+
+## Centralized log collection
+
+The AWS SRA recommends two options for centralized log collection and analytics across your AWS organization. Amazon CloudWatch Unified Data Experience is the recommended primary option, deployed in a dedicated Monitoring account within the Security OU. Amazon Security Lake remains available as a secondary option for organizations with existing investments or specific subscriber-based access requirements.
+
+## Amazon CloudWatch Unified Data Experience
+
+The AWS SRA recommends that you deploy Amazon CloudWatch in a dedicated Monitoring account within the Security OU. This account serves as the centralized home for all observability, security, and compliance telemetry across your organization. Designate this account as the CloudWatch delegated administrator for the organization.
+
+[CloudWatch Unified Data Experience](https://aws.amazon.com/cloudwatch/features/unified-data-and-telemetry/) provides unified data management and analytics capabilities that consolidate operational, security, and compliance data across your AWS environment and third-party sources into a single service. This eliminates the need for multiple separate data stores and complex ETL pipelines. To protect the availability of the logs and the log management process, configure strict IAM policies and service control policies (SCPs) on the Monitoring account to provide only necessary permissions to manage CloudWatch. Use detective controls such as AWS Config to monitor, alert, and remediate this collection of permissions for unexpected changes.
+
+The CloudWatch administrator can enable organization-wide log collection using [CloudWatch Pipelines](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-pipelines.html) and centralization rules. Pipelines automatically collect AWS vended logs (CloudTrail management events, CloudTrail data events for Amazon S3 and AWS Lambda, Amazon VPC Flow Logs, AWS WAF logs, Amazon Route 53 resolver logs, EKS audit logs) across all member accounts and regions. Logs from supported AWS services are automatically converted into a standardized open-source schema called Open Cybersecurity Schema Framework (OCSF) using the built-in OCSF processor. With OCSF support, CloudWatch efficiently normalizes and consolidates security data from AWS and other enterprise security sources to create a unified and reliable repository of security-related information. CloudWatch Pipelines also support third-party connectors to ingest external security telemetry into the same unified data store.
+
+AWS Security Hub CSPM findings can be ingested into CloudWatch through Pipelines, providing an overview of your compliance posture and whether you're following security recommendations for AWS and AWS Partner solutions.
@@ -62 +83 @@ To gain visibility and actionable insights from logs and events, you can query t
-Security Lake provides an AWS managed policy to help you manage administrator access to the service. For more information, see the [Security Lake User Guide](https://docs.aws.amazon.com/security-lake/latest/userguide/security-iam-awsmanpol.html). As a best practice, we recommend that you restrict the configuration of Security Lake through development pipelines and prevent configuration changes through the AWS consoles or the AWS Command Line Interface (AWS CLI). Additionally, you should set up strict IAM policies and service control policies (SCPs) to provide only necessary permissions to manage Security Lake. You can [configure notifications](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ways-to-add-notification-config-to-bucket.html) to detect any direct access to these S3 buckets.
+To gain visibility and actionable insights from logs and events, you can query the data by using CloudWatch Logs Insights (with Facets-based exploration, natural language queries, and LogsQL/PPL/SQL support), Amazon Athena, Amazon OpenSearch Service, Amazon Redshift, Amazon SageMaker AI, Amazon Quick, and third-party solutions. Users who require access to the log data shouldn't access the Monitoring account directly. They should access data from the Security Tooling account using CloudWatch cross-account observability, or from other AWS accounts and on-premises locations that provide analytics tools such as OpenSearch Service, Quick, or third-party tools such as security information and event management (SIEM) tools.
@@ -64 +85 @@ Security Lake provides an AWS managed policy to help you manage administrator ac
-###### Design consideration
+For long-term immutable storage, CloudWatch routes log data to S3 buckets in the Log Archive account via Amazon S3 Tables integration (Apache Iceberg format). Amazon S3 Object Lock and Glacier policies ensure immutability for regulatory compliance. The Log Archive account serves as a storage sink only and does not run CloudWatch analytics workloads.
@@ -66 +87 @@ Security Lake provides an AWS managed policy to help you manage administrator ac
-When you enable CloudTrail management events in Security Lake, they result in Security Lake charges. The collection of CloudTrail management events in Security Lake requires an CloudTrail multi-Region organization trail that collects read and write CloudTrail management events. This first trail is available at no cost to you. CloudTrail management events typically make up a small percentage (around 5%) of total CloudTrail events. This applies to customers who use AWS Control Tower or have centralized CloudTrail logs in a Log Archive account.
+As a best practice, we recommend that you restrict the configuration of CloudWatch through development pipelines and prevent configuration changes through the AWS Management Console or the AWS Command Line Interface (AWS CLI). You can configure notifications to detect any unauthorized access to log groups or Amazon S3 buckets.