When administrative access or configuration change is attempted on the service or a child resource, the service MUST log the client identity, time, and result of the attempt.

When any attempt is made to modify data on the service or a child resource, the service MUST log the client identity, time, and result of the attempt.

When any attempt is made to read data on the service or a child resource, the service MUST log the client identity, time, and result of the attempt.

When the service is operational, its logs and any child resource logs MUST NOT be accessible from the resource they record access to.

When the service is operational, any attempt to redirect logs for the service or its child resources MUST NOT be possible without halting operation of the corresponding resource and publishing corresponding events to monitored channels.

When throttling is invoked, the load balancer MUST record the event in the access log within 5 minutes for alerting and trend analysis.

When more than 10 percent of targets change from healthy to unhealthy within five minutes, an alert MUST be issued.

When a new cloud account is created, provider-level audit and network flow logging MUST be enabled by default and directed to the central sink.

When a new cloud compute resource is deployed, it MUST be configured to forward all relevant logs (e.g., OS, application, service logs) to the central log sink.

When a new log bucket or stream is created, its retention policy MUST be configured in accordance with organisation's data retention policy.

When a query is performed to retrieve log events older than the number of days defined in the organisation's data retention policy, it MUST return an empty result.

When any network traffic goes to or from an interface in the VPC, the service MUST capture and log all relevant information.