CASE 32 · BRAMBLE · 2023
Audit logs the regulator can’t accidentally edit.
A regional bank had CloudTrail enabled, logs landing in S3, and a regulator who had started asking how the team could prove the logs hadn’t been tampered with. The honest answer was "trust." We rebuilt the audit log archive with S3 Object Lock in compliance mode and a clean chain of custody.
Regional bank
LANDING ZONE
2023
RESULTS
What changed, by the numbers.
TAMPER-PROOF RETENTION
7y
WRITE-ONCE PROOF
CRYPTO
AUDIT TIME
−86%
COST OVERHEAD
+4%
HOW IT WENT
The regulator wasn’t accusing anyone of anything; they were asking a reasonable question about controls. The bank’s answer relied on procedural promises — "nobody on our team would do that." Regulators stopped accepting procedural promises around 2020.
We rebuilt the archive in a dedicated security account with no human IAM principals. CloudTrail wrote to S3 with Object Lock in compliance mode (immutable for the seven-year retention window), encrypted with a KMS key whose grants were time-limited and CloudTrail-logged. Glacier Vault Lock provided the long-tail archive.
The next regulator review accepted the controls without follow-up. Audit evidence generation dropped from a two-week scramble to a six-hour scripted export. The same architecture is now used for the bank’s sister-org transaction logs.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.