PCI-DSS 4.0 Req 10.5 requires audit logs to be retained for at least 12 months, with at least 3 months immediately available; Req 10.2 requires specific event types to be logged. Logs retained for only 7 or 30 days mean that a breach discovered 60 days after the intrusion has no forensic record — you cannot determine how much data was taken, when, or by whom. SOC 2 CC7.2 and ISO 27001:2022 A.8.15 both require log availability for incident investigation. NIST AU-11 sets the retention baseline. Short-retention configurations that are left at default (often 7 days for CloudWatch) are a routine PCI audit failure.
Medium because insufficient log retention destroys forensic evidence after an incident, preventing breach scope determination and triggering PCI-DSS Req 10.5 compliance findings during assessment.
Set retention_in_days = 365 on every CloudWatch log group that receives CDE-related events. The default (never expire) is acceptable but explicit 365-day retention signals compliance intent to an auditor. For cost management, archive logs older than 90 days to S3 — they still count as immediately available per Req 10.5 if retrieval takes under 24 hours.
resource "aws_cloudwatch_log_group" "cde_audit" {
name = "/cde/audit"
retention_in_days = 365
tags = { compliance = "pci-dss" }
}
Enable pgaudit on PostgreSQL to capture DDL, DML, and ROLE events at the database layer. Reference the retention configuration in docs/pci-compliance.md under the Audit & Logging section so the audit trail to Req 10.5 is explicit.
ID: ecommerce-pci.monitoring-compliance.audit-logs-retained
Severity: medium
What to look for: Count all log retention configurations in infrastructure code. For each CloudWatch log group, check retention_in_days value. For each logging service, check the configured retention period. Enumerate all logging configurations and verify retention is at least 90 days. Look for retention_in_days, retentionDays, or equivalent settings.
Pass criteria: At least 1 audit log configuration exists with retention of at least 90 days (365 days recommended for PCI). Logs capture CDE access and transactions. Retention is explicitly configured (not left at default). Report the count: "X log groups configured, minimum retention: Y days." Report even on pass: state the exact retention days found.
Fail criteria: No audit logging configured (0 log groups or logging services), or retention is explicitly set below 90 days, or retention is left at default (which may be shorter than 90 days).
Skip (N/A) when: Payment processing fully delegated to third-party (no CDE, no transaction logging needed locally).
Detail on fail: Specify the logging gap. Example: "1 CloudWatch log group found with retention_in_days: 7 — below 90-day minimum." or "0 audit log configurations found in infrastructure code. No logging service configured."
Cross-reference: See ecommerce-pci.monitoring-compliance.log-centralization (log integrity), ecommerce-pci.monitoring-compliance.data-retention-policy (retention policy documentation).
Remediation: Enable audit logging with 90+ day retention. For PostgreSQL:
-- Enable pgAudit extension
CREATE EXTENSION IF NOT EXISTS pgaudit;
-- Configure audit logging
ALTER SYSTEM SET pgaudit.log = 'ALL';
ALTER SYSTEM SET pgaudit.log_parameter = ON;
ALTER SYSTEM SET log_connections = ON;
ALTER SYSTEM SET log_disconnections = ON;
-- Set retention in postgresql.conf
-- log_min_duration_statement = 0 # Log all statements
-- logging_collector = ON
-- log_directory = '/var/log/postgresql'
-- log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'
SELECT pg_reload_conf();
For Supabase (managed), logs are retained automatically. Set retention in AWS CloudWatch:
resource "aws_cloudwatch_log_group" "audit" {
name = "/aws/lambda/audit-logs"
retention_in_days = 365 # Recommended for PCI
tags = { Name = "cde-audit-logs" }
}