Centralized Log Archive Accounts

The strongest log protection puts logs in a separate AWS account dedicated to archival, isolated from the accounts that run workloads. If an attacker compromises a production account, they still cannot reach or delete the logs stored in an account they do not control. This isolation is a cornerstone of mature security architecture.

In a multi-account organization, a dedicated Log Archive account receives logs from every other account. AWS Control Tower creates exactly this account by default in its landing zone, reflecting how strongly AWS recommends the pattern. Centralizing logs here gives one protected home for all audit evidence.