NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control AU.L2-3.3.9 requires organizations to protect audit information and tools from unauthorized access, modification, and deletion — a requirement that maps directly to strong privileged access controls in cloud environments like AWS and Azure. For small businesses working under the Compliance Framework, this means implementing technical controls, administrative processes, and demonstrable evidence that audit logs are stored securely, tamper-resistant, and only accessible to properly authorized personnel.
What this control requires (practical interpretation)
At a practical level the control requires three things: (1) restrict who can configure, view, export, or delete audit logs; (2) make logs tamper-evident or tamper-resistant; and (3) have processes and monitoring to detect and respond to unauthorized access or changes. For Compliance Framework evidence, you will need configuration screenshots, audit trail retention settings, key rotation and access policies, PIM or JIT records, and incident/alerting playbooks showing detection of log tampering attempts.
AWS implementation details (step-by-step)
In AWS, start by creating an Organization-level CloudTrail that delivers logs to a dedicated, hardened S3 bucket in a centralized "log-archive" account. Configure CloudTrail log file validation to enable integrity checks, and enable multi-region logging. Protect the S3 bucket with: (a) a bucket policy that denies s3:DeleteObject and s3:PutBucketAcl unless requests originate from the log-archive role or a KMS key principal; (b) S3 Object Lock with a retention mode (governance/retention period) to prevent deletion during the retention window; and (c) server-side encryption with a customer-managed KMS key (SSE-KMS) whose key policy only allows the CloudTrail service and a small Security Admin role to decrypt or re-encrypt. Use IAM policies and SCPs to prevent any non-authorized principal from altering CloudTrail or S3 configuration. Example practical items: enable CloudTrail log file integrity validation, create an org trail, put an S3 bucket policy that restricts deletes and require TLS, and place the KMS CMK in a separate security account with strict key policy and no broad IAM wildcard permissions.
AWS enforcement controls you should implement
Implement least-privilege IAM policies, require MFA for all role elevation (especially for log administration), and use AWS IAM Access Analyzer and IAM Access Advisor to audit who has permissions. Use AWS Config rules to detect changes to CloudTrail, S3 bucket policy, KMS key policy, or Object Lock settings and send Config remediation and EventBridge notifications to a small-security-team inbox plus Slack/SMS. For small businesses, leverage CloudFormation/Terraform to deploy a reproducible log-archive stack so changes are tracked in code and peer-reviewed. Consider enabling MFA Delete on buckets where you can (note: enabling MFA Delete requires the root account and has operational overhead) or rely on S3 Object Lock in compliance mode where necessary.
Azure implementation details (step-by-step)
In Azure, centralize audit data by routing Azure Activity Logs and resource Diagnostic Settings to a dedicated Log Analytics workspace and a storage account within a locked "log-archive" subscription or resource group. Configure the storage account with immutable blob storage (time-based retention or legal hold) to make deletion or modification infeasible during the retention period. Protect access with Azure RBAC — create narrowly scoped roles (Log Reader, Storage Blob Data Reader for specific principals) and use Privileged Identity Management (PIM) to require approvals and time-limited elevation for any role that can modify diagnostic settings or storage policies. Use Customer-Managed Keys (CMK) in Azure Key Vault to encrypt storage and restrict Key Vault access policies to a small set of security principals and service principals.
Azure enforcement controls you should implement
Deploy Azure Policy to require diagnostic settings for key resources and to block disabling of logs, and implement Azure Monitor and Microsoft Defender for Cloud to alert on configuration changes to diagnostic settings or storage immutability policies. Use activity log alerts (or create scheduled queries in Log Analytics) to detect access patterns that indicate potential tampering, such as high-volume List/Delete operations from unexpected service principals. For small companies, use Azure Blueprints or ARM templates for repeatable deployment of logging and protection settings and document PIM approval workflows to show auditors how privileged changes are controlled.
Small-business scenarios and practical tips
Scenario: a small MSP-hosted web app with 20 employees. Practical approach: put CloudTrail or Azure Diagnostic settings in a separate log-archive account/subscription owned by the business owner or a third-party compliance account, not by developers; use the provider's managed services for log retention with encryption and immutability; limit privileged roles to 1–2 people and use PIM/JIT; automate checks with Config/Policy to get daily reports; retain evidence (screenshots, role elevation logs, Config/Policy evaluations) and store them in the same archive. If you outsource operations, ensure contracts require log immutability and the ability to produce audit evidence within the required retention window.
Risks of not implementing AU.L2-3.3.9
Failure to protect audit logs exposes you to undetected breaches (attackers commonly erase or alter logs), loss of forensic capability, failed compliance audits, contract penalties, and reputational damage. In cloud environments unchecked privileges allow attackers or malicious insiders to disable logging entirely, delete evidence, or manipulate logs to hide lateral movement — all of which prevent timely detection and response. For Compliance Framework compliance, lack of technical controls, documented processes, and evidence will cause audit findings and remediation orders.
Compliance tips and best practices
Document your logging architecture, retention policies, and privileged access workflows; demonstrate separation of duties and PIM/JIT use; keep a change-control trail for all log-related configuration updates and KMS/Key Vault key rotations; schedule periodic reviews of principals with log-management privileges; automate detection and alerting for log configuration changes; and keep playbooks for investigators explaining how to access archived logs and verify integrity (e.g., CloudTrail log file validation hash). Lastly, retain proof of training and access approvals for people with privileged access.
Summary: To meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 AU.L2-3.3.9 in AWS and Azure, combine cloud-native protections (CloudTrail/CloudWatch/S3 Object Lock/KMS in AWS; Activity Logs/Diagnostic Settings/Immutable Blobs/Key Vault and RBAC/PIM in Azure), strict least-privilege access and separation of duties, automation to detect and alert on changes, and documented evidence of controls and workflows. For small businesses, prioritize a centralized, hardened log-archive, minimal privileged accounts with PIM or JIT, immutable retention, and automated compliance checks to reduce risk and produce audit-ready evidence.
