Audit asks for logs of who did what in the cloud
CloudTrail (AWS), Activity Log (Azure), and Audit Logs (GCP) are the standard. Note: data events cost extra and must be enabled explicitly. By default only management events are captured.
Try this first
- 1AWS: CloudTrail multi-region and multi-account, output to a separate log-archive account with S3 Object Lock for immutable storage.
- 2Enable CloudTrail data events on your critical S3 buckets and Lambda functions. Default trail covers API calls, not GetObject or Invoke.
- 3Azure: Activity Log to a Log Analytics workspace, retention 90+ days. For data action audit: Diagnostic Settings per resource.
- 4GCP: Audit Logs (Admin Activity free, Data Access paid). Enable Data Access for services in audit scope.
- 5Set retention explicitly: 7 years for financial audits, 1 year for general. Default is often 90 days, too short for compliance.
When to bring us in
For SOC2, ISO 27001, or an active enquiry, logs are just the start. A log architecture with immutability, alerts and query discipline goes further, help is common there.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.