Collecting Logs into CloudWatch

Amazon CloudWatch Logs is the managed service that collects, stores, and searches log data from your AWS resources and applications. Instead of logs sitting on individual servers where they can be lost when an instance terminates, they stream to a central, durable place. For a security engineer, this centralization is the whole point: you cannot detect or investigate what you cannot see.

A log group is a container that holds related log data and defines shared settings. Typically one log group represents one application or service, such as /aws/lambda/my-function. Two settings matter most for security: the retention period, which controls how long logs are kept before automatic deletion, and the optional KMS key used to encrypt the data at rest.