PCI Compliance on AWS: PCI Requirement 10.7
How Long Should You Keep Logs in AWS?
PCI Requirement 10.7 focuses on audit trail retention. It requires that you retain audit trail history for at least one year, with three months of history immediately available for analysis. To gain compliance with PCI Requirement 10.7, AWS recommends using a dedicated Amazon S3 bucket to retain audit trails, plus configuring lifecycle policies to migrate older data older to Amazon S3 Glacier to save on cost. Another recommended option is to export Amazon CloudWatch logs to Amazon S3 to protect log data with encryption and prevent or detect changes.
To learn more about retaining and protecting audit trails, visit the AWS documentation on exporting log data to Amazon S3.
PCI Requirement 10.7 is about maintaining and retaining log files. We have to maintain them for one year and must have 90 days available for forensic analysis to go back and research. But, if you have noticed things that have been going on in the world lately, a year is really needed. When you put this in the AWS platform, you are looking at the utilization of S3 buckets, CloudWatch, and Kibana for the early analysis. After the initial 90 days, you can save yourself some money and move them off to Glacier and retain them for the extra 12 months. When the logs are in CloudWatch they can be exported to S3. You can add encryption to your S3 buckets or add log file integrity validation. That combines a 256-SHA and RSA signature with the encryption from S3 themselves to give a tight wrapper around your log files. If your IAM policies are configured correctly, then you will be in compliance with PCI Requirement 10.7