Most teams set log retention periods the same way they set default instance sizes: they accept whatever the console suggests, adjust slightly when the bill arrives, and move on. GCP’s _Default log bucket retains 30 days. Azure Monitor defaults to 30 days for most tables. AWS CloudWatch Logs defaults to never expire, which sounds generous until cost pressure pushes teams to set explicit 30 or 90-day windows. These numbers feel reasonable until you ask what they actually commit you to: a maximum forensic lookback of one to three months, decided not by your security team but by whoever clicked cheapest at provisioning time.
The problem is that 30 to 90 days is not enough. According to IBM’s 2025 Cost of a Data Breach Report, the average breach takes 181 days to detect and a further 60 days to contain, a total lifecycle of 241 days. Mandiant’s M-Trends 2025 data shows a global median dwell time of 11 days, but that figure is dominated by ransomware, which announces itself quickly. The attacks that short retention periods erase are the quiet ones: credential-based intrusions, which IBM found take an average of 292 days to detect, and supply-chain compromises, which average 267 days. These are precisely the threat categories where the evidence is oldest by the time anyone starts looking.

Compliance Is a Floor, Not a Forensic Strategy
Organisations that set retention by their compliance framework are making a better decision than those who accept defaults, but they are still not making a security decision. PCI DSS v4.0.1 requires 12 months of log retention with three months immediately available for analysis. HIPAA requires six years. SOC 2 and ISO 27001 set no fixed period but expect a documented, risk-based policy, with auditors typically expecting around 12 months in practice. None of these requirements were designed around incident response timelines. They were designed around auditability and regulatory accountability. Meeting PCI DSS’s 12-month floor gives you a reasonable forensic window by accident, but an organisation facing a supply-chain compromise with a 267-day dwell time is still working near the edge of what that window covers. The compliance calendar and the attacker’s calendar are not aligned, and treating one as a proxy for the other is a category error.

The Hot-Cold Architecture Resolves the Cost Tension
The reason retention decisions get made on cost grounds is that keeping logs expensive and searchable for a year feels prohibitive. That framing collapses when you separate hot and cold storage properly. Hot retention, the kind where logs are indexed and queryable in your SIEM or log analytics platform, costs roughly £0.20 to £1.20 per GB per month depending on the platform. Cold retention, logs shipped to object storage with lifecycle policies to archive tiers, costs closer to £0.001 to £0.004 per GB per month. The architectural question is not whether to retain for 12 months. It is which logs need to be instantly queryable and for how long. Authentication events, privileged access logs, and cloud control-plane activity (CloudTrail, Azure Activity Logs, GCP Admin Activity) warrant 90 days of hot retention because they are what you reach for first in an incident. Bulk telemetry can move to cold storage after 30 days without meaningfully slowing an investigation, because rehydration from archive takes hours, not weeks. CIS Control 8.10 captures the minimum position clearly: 90 days searchable, with longer periods for environments where the threat model demands it. The organisations that reach cold storage at 12 months and find it empty are the ones who never built the pipeline from hot to cold in the first place. If you are already thinking through tiered storage approaches for other data, the same principles apply to logs; the cost economics and access patterns map closely to what is covered in our AWS backup strategies guide.

What You Retain Shapes What You Can Know
The Marriott/Starwood breach is worth understanding in this context. Attackers were present in the Starwood environment from 2014 and undetected until 2018, compromising approximately 339 million guest records. The UK ICO’s penalty notice documented that Marriott had a SIEM and a security operations centre in place, but that “the insufficient logging rendered the SIEM and SOC ineffective.” This was primarily a failure to configure logging at all on key systems, not a retention expiry problem. But the lesson transfers: forensic investigation is only as good as the data that exists to investigate. Short retention periods produce the same outcome as missing log sources when the breach surfaces outside the window. The investigator reconstructing a nine-month intrusion finds either unconfigured logging or expired logs, and the result is identical: no evidence of initial access, no lateral movement timeline, no scope. Combining robust detection tooling, as discussed in our post on GuardDuty Malware Protection for S3, with a retention policy calibrated to actual dwell times is what gives a security team a realistic chance of understanding what happened.

The Decision That Should Follow from This
Log retention is not a storage question because the thing at stake is not storage: it is investigative capability. When a team sets a 30-day retention window, they are making an advance commitment that any intrusion undetected for more than 30 days cannot be fully reconstructed. Most teams making that commitment have no idea they are making it. The actionable question is not what your logs cost to retain but what you are prepared to know and not know about a breach that surfaces six months after it began. If the answer to that question has never been put in front of your security or risk function in explicit terms, that conversation is overdue. Treating cloud security posture as a configuration problem while leaving retention on defaults is the equivalent of installing a burglar alarm and disabling the recording.
Useful Links
- IBM Cost of a Data Breach Report 2025
- Mandiant M-Trends 2025
- Verizon 2025 Data Breach Investigations Report
- CIS Control 8: Audit Log Management
- CISA/NSA/ACSC: Best Practices for Event Logging and Threat Detection (2024)
- NIST SP 800-92: Guide to Computer Security Log Management
- GCP Cloud Logging: Store Log Entries
- Azure Monitor: Manage Data Retention in a Log Analytics Workspace
- ICO Marriott International Penalty Notice (October 2020)
- PCI DSS v4.0.1 Requirement 10.5.1 Guidance








