Auditing

FinOps Center

FinOps Center provides auditability across all solution using AWS-native logging, monitoring, and compliance tools. Activity logs are collected across the entire stack—including authentication, business logic, orchestration, data access, and storage—to support customer audit and compliance requirements.

AWS Service Logging

• Amazon Cognito Authentication and authorization events—such as user sign-ins, token refreshes, and federated identity access—are logged through AWS CloudTrail, enabling traceability of identity events and user sessions.

• AWS Lambda All Lambda function invocations, including business logic execution and data processing, are logged to Amazon CloudWatch Logs. Function invocation metadata, API calls made by functions, and errors are also captured in CloudTrail.

• AWS Step Functions Workflow execution history, state transitions, and error handling logic are logged via CloudWatch Logs, while CloudTrail captures orchestration activity and API interactions initiated by workflows.

• Amazon S3 (for web hosting) Static web content access and object-level interactions are logged via S3 Server Access Logs or CloudTrail Data Events, providing visibility into frontend usage patterns.

• AWS AppSync GraphQL queries, mutations, and subscriptions are recorded by CloudTrail, allowing full traceability of frontend-to-backend data access. Resolver execution logs can also be sent to CloudWatch Logs for detailed debugging and auditing.

• Amazon EventBridge Events published to or routed through EventBridge are tracked in CloudTrail, providing insight into event-based workflows, system integration points, and automation triggers.

• Amazon DynamoDB All reads, writes, updates, and deletes on DynamoDB tables used for application data are auditable through CloudTrail Data Events (if enabled). This captures the full lifecycle of data access patterns. Additionally:

  • DynamoDB Streams can be used to monitor real-time changes to data for audit trails or downstream processing.

Centralized Logging and Audit Readiness

To support customer audit and compliance needs, the solution integrates the following centralized logging tools:

• AWS CloudTrail: Captures all control-plane and (where enabled) data-plane API calls across services. Trails can be configured for multi-account logging with delivery to Amazon S3, encrypted using AWS KMS, and analyzed via Athena, OpenSearch, or third-party SIEM tools.

• Amazon CloudWatch Logs and Metrics: Provide real-time operational visibility into application performance, execution paths, and anomalies.