an artist s illustration of artificial intelligence ai this illustration depicts language models which generate text it was created by wes cockx as part of the visualising ai project l

A major compliance factor for data protection and privacy is tamper-proof logging. With the tentacles of AI growing zero-trust privacy engineering is going to be a critical strategy.

Regulatory frameworks like PCI DSS, HIPAA, SOX, FedRAMP, and ISO 27001 all underscore the necessity of immutable logs, especially for administrative actions. These logs ensure integrity, support forensic analysis, and provide regulators with assurance that data access is appropriately monitored and documented.

In AWS, we implemented a robust logging solution using CloudTrail combined with Amazon S3 Object Lock in Compliance Mode. However, achieving comparable compliance outcomes in Azure requires a different technical approach. This article outlines our recent deployment of AWS compliance solutions and ends with our more frequent use of tamper-proof logging using Azure-native tools.

AWS: Compliance via S3 Object Lock and CloudTrail

The Compliance Mandate

CloudTrail captures every management and data plane API event, delivering rich visibility into actions taken by IAM users, roles, and services. This is critical for frameworks such as:

  • PCI DSS Requirement 10 – mandates that audit trails be secured against modification.
  • HIPAA Security Rule – requires audit controls to monitor ePHI access.
  • SOX – necessitates verifiable system access records for financial data.
  • FedRAMP – requires immutable logs of privileged access.
  • ISO 27001 A.12.4.1 & A.16.1.7 – emphasizes log protection and evidence preservation.

Our Solution

  1. CloudTrail: Configured to log all regions and deliver logs to a central S3 bucket.
  2. S3 Object Lock (Compliance Mode): Applied to the bucket to enforce Write Once, Read Many (WORM) protection, making logs immutable even to root users.

This solution directly meets the immutability and retention requirements of all listed frameworks, providing cryptographic assurance and operational compliance.

Azure: Achieving Log Immutability Using Microsoft Solutions

While AWS offers a direct WORM feature with S3 Object Lock, Azure requires orchestration of several components for tamper-evident and retention-controlled logging. Below is the architecture we implemented.

1. Azure Activity Logs and Diagnostic Settings

  • Azure Activity Logs provide visibility into subscription-level events.
  • Azure Resource Logs (via Diagnostic Settings) capture control/management plane activity on specific resources.

We configure diagnostic settings to route logs to a Log Analytics workspace, Event Hub, or Storage Account.

2. Azure Storage with Immutable Blob Storage

To meet WORM and tamper-proof requirements, we configure Immutable Blob Storage using the Set-AzImmutabilityPolicy PowerShell command.

# Example: Apply Immutability Policy to a storage container
Set-AzStorageContainerImmutabilityPolicy `
  -ResourceGroupName "ComplianceRG" `
  -AccountName "logstorageacct" `
  -ContainerName "activitylogs" `
  -ImmutabilityPeriod 365 `
  -PolicyMode "Compliance"

This places the container in compliance mode, preventing deletion or alteration of log files for the defined retention period.

3. Azure Defender for Cloud (formerly Azure Security Center)

To enhance audit coverage:

  • We enable Microsoft Defender plans that include automatic logging of privileged identity changes, network rule modifications, and policy violations.
  • Use Microsoft Purview for audit trails on data access that need to be retained in a tamper-evident form.

4. Microsoft Sentinel for Log Aggregation & Forensics

All logs (Activity Logs, Defender alerts, and third-party feeds) are ingested into Microsoft Sentinel with long-term retention policies. The workspace is then backed by immutable storage to ensure log integrity.

# Enforce log retention in Sentinel
Set-AzOperationalInsightsRetention `
  -ResourceGroupName "SOC-RG" `
  -WorkspaceName "SentinelWorkspace" `
  -RetentionInDays 730

5. Policy Locking and Audit

To enforce integrity:

  • Apply Azure Blueprints and Azure Policy to deny deletion of diagnostic settings or log storage containers.
  • Configure Privileged Identity Management (PIM) for Just-In-Time access and audit every role elevation via Entra ID.

Final Thoughts: Proactive Compliance and Security Convergence

As regulatory scrutiny increases and adversaries become more enterprising (as noted in CrowdStrike’s 2025 Global Threat Report), immutable logs serve a dual role—compliance assurance and breach containment. Whether it’s PCI DSS or GDPR, regulators expect organizations to maintain forensic-ready audit trails that can’t be altered post-incident.

By leveraging native WORM features in AWS and orchestrating storage immutability and policy control in Azure, we provide demonstrable, defensible tamper-proof logging. This ensures we can prove “who did what and when”—and just as importantly—ensure that this proof itself can’t be tampered with.

Need help building your tamper-proof compliance architecture across AWS or Azure? PWNSentinel offers implementation blueprints and hands-on advisory services for security, compliance, and cloud resilience. Reach out today to learn how we can help secure your logs and your reputation.