Posted On: Aug 19, 2022

AWS Control Tower now provides the ability to customize the retention policy for Amazon Simple Storage Service (Amazon S3) buckets that store your AWS Control Tower CloudTrail logs. AWS Control Tower uses AWS CloudTrail to record logs of actions made by users, roles or AWS services. These logs are stored in Amazon S3 buckets, which are created in the core logging account. The Amazon S3 CloudTrail buckets have a retention policy that specifies the number of days after which the logs will get deleted. The default settings of 1-year for standard account logging and 10-years for access logging are applied if a user chooses not to customized their log retention policy.

By using AWS Control Tower customized log retention users can now customize their AWS S3 log retention policy in increments of days or years, up to a maximum of 15 years. Customized log retention provides users with the flexibility to meet different requirements for log retention based on a combination of industry compliance or internal company policy. This feature is available for existing customers through AWS Control Tower upgrade or repair feature and for new customers through the AWS Control Tower setup process.

AWS Control Tower offers the easiest way to set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Customers can create new accounts using AWS Control Tower’s account factory and enable governance features such as guardrails, centralized logging, and monitoring in supported AWS Regions. To learn more, visit the AWS Control Tower homepage or see the AWS Control Tower User Guide. For a full list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.