Centralized Logging and Observability

Explore how to implement centralized logging and observability across enterprise AWS multi-account environments. Learn architectural patterns that aggregate logs securely using CloudTrail organization trails, VPC Flow Logs, and S3 with immutable audit storage. Understand event routing with EventBridge and unified monitoring with CloudWatch cross-account observability to improve security and operational visibility.

We'll cover the following...

Why centralized logging matters
Multi-account log aggregation patterns
- Organization trails and VPC Flow Logs
- Application logs and cost optimization
Immutable audit logging with S3 Object Lock
- Governance mode vs. Compliance mode
  - Layering SCPs for defense in depth
Cross-account event distribution with EventBridge
- Central event bus architecture
  - Targets and filtering
Designing enterprise observability
Conclusion

When an enterprise operates 50 or more AWS accounts under a single AWS Organizations structure, each account generates its own stream of API activity logs, network flow records, and application telemetry. Without a deliberate, organization-wide strategy to aggregate, protect, and analyze these signals, security investigations become fragmented across account boundaries, compliance auditors cannot verify a unified chain of custody, and operational incidents can propagate undetected.

This lesson walks through the architecture patterns, service configurations, and trade-off decisions that underpin enterprise-grade logging, immutable audit storage, cross-account event distribution, and unified observability.

Why centralized logging matters

Managing logs at the individual account level is analogous to running a hospital where each department keeps its own patient records in a different filing system. When an incident occurs, investigators must visit every department, request access, and manually correlate records. In AWS terms, per-account logging creates gaps in visibility, delays forensic response, and violates the principle of least-privilege auditability because workload teams control their own audit trails.

Centralized logging is built on five AWS services and capabilities that work together as an integrated architecture.

AWS CloudTrail organization trails capture every API call across all member accounts and deliver a single, unified log stream to a designated S3 bucket without requiring per-account trail configuration.
Amazon VPC Flow Logs record network-level traffic metadata in each account and can be forwarded to a central destination through CloudWatch Logs subscription filters or Kinesis Data Firehose delivery streams.
Amazon S3 serves as the durable, low-cost system of record for all aggregated logs, with lifecycle policies that transition older objects to S3 Glacier for long-term retention.
S3 Object Lock enforces write-once-read-many (WORM) semantics on the log archive, and Service Control Policies (SCPs) add defense in depth by denying log deletion at the organizational governance layer.
Amazon EventBridge routes real-time operational events across accounts for alerting and automated remediation, while Amazon ...