This capability should be implemented in accordance with your governance needs by the Security team.

Utilizing a separate log storage enables you to build a safe area where the logs serve as the source of truth for the activities and events occurring in your environment, relative to security and operations. Examples include account access and infrastructure changes.

Log storage must be tamper-resistant and encrypted, and accessed only by controlled and monitored mechanisms, based on least privilege access by role. Controls need to be implemented around the log storage to protect the integrity and availability of the logs and their management process. For in-depth technical information, refer to the Establishing your Cloud Foundation on AWS whitepaper.

https://aws.amazon.com/solutions/guidance/log-storage-on-aws/?did=sl_card&trk=sl_card