For DevOps engineers, security teams, and compliance leads at Indian IT companies subject to CERT-In's April 2022 directives and related regulatory obligations.
What CERT-In Actually Requires
CERT-In's April 2022 cybersecurity directions apply to all entities in India's IT ecosystem — data centres, cloud service providers, VPN service providers, and any organisation classified as a critical information infrastructure. The core log retention requirement is 180 days for:
System logs, network device logs, firewall and intrusion detection logs, application access logs, authentication and authorisation events, API gateway logs, and database access logs. The 180-day clock runs from the time the event is recorded, not from the time a potential incident is detected.
Separately, reportable cybersecurity incidents must be reported to CERT-In within 6 hours of detection. Meeting this reporting obligation requires that the relevant logs be accessible quickly enough to support a coherent incident report within the timeframe — which means logs must be indexed or at minimum easily searchable, not just archived.
For practical compliance, the architecture must: collect all required log categories, retain them for at minimum 180 days in India-resident storage, prevent modification or deletion (tamper-evidence), and support retrieval within the timeframe required for incident reporting.
Why Object Storage for Compliance Logs
Log data has characteristics that make object storage the correct long-term home:
High write volume, low read frequency. Logs are written continuously in high volume but read only during incident investigations, audits, or regulatory requests — a fraction of the time. Object storage's pricing model (pay per GB stored and per request) is ideal for write-heavy, read-rare workloads.
Immutability by design. Log records should not be modified after they are written. Object storage's default behaviour — object keys are immutable once written — aligns with this requirement. Object lock adds an additional compliance guarantee.
Long retention at low cost. Retaining 180 days of logs for a medium-size platform generates significant data volumes. At Rs.1.50/GB-month on IBEE, the cost per GB per 180-day retention period is Rs.9. The cost of non-compliance is categorically higher.
India-sovereign jurisdiction. Logs under CERT-In requirements must be stored within India and accessible to Indian authorities on request. IBEE is an Indian company operating Indian infrastructure under Indian law.
Log Collection Pipeline
Logs from multiple sources — application servers, databases, network devices, authentication services — must be centralised before they can be archived to object storage. The standard approach uses a log shipping agent and a central aggregation layer.
Log shipping agents: Vector, Fluent Bit, and Filebeat are the common choices for shipping logs from application servers to a central destination. They run as sidecars on each server, tail log files, and forward log events to the aggregation layer.
Aggregation layer: A central log aggregator (self-hosted Loki, OpenSearch, or a similar tool) receives events from all agents, buffers them, and writes compressed log files to object storage on a schedule (typically every 5–15 minutes). For compliance, writing to object storage in near-real-time minimises the window during which a system failure could result in log loss.
Key structure for archived logs:
Example: compliance-logs/application/2024/07/15/14/app-server-01-1721048400.log.gz
This structure allows querying all logs of a given type for a date range by listing objects under the appropriate prefix — without scanning the full archive.
Tamper-Evident Storage With Object Lock
Object lock in COMPLIANCE mode prevents deletion or overwrite by any user, including account administrators, for the lock duration. This is the technical control that satisfies the tamper-evidence requirement for compliance log archival.
Configure the compliance log bucket with a default object lock retention of 180 days:
With this configuration, every log file written to the bucket is automatically locked for 180 days. The log pipeline writes files in the normal way — no special handling required for the lock. The bucket configuration ensures the lock is applied to every object on creation.
A CERT-In auditor requesting evidence of log retention controls can be shown: the bucket object lock configuration, a sample of locked objects with their retention expiry dates, and the log pipeline configuration showing that all required log categories are being shipped to this bucket.
Lifecycle Policy for Post-Retention Expiry
Object lock prevents deletion during the lock period. After the lock expires (180 days for CERT-In), a lifecycle policy should delete the objects — otherwise the archive grows indefinitely and accumulates cost for logs that are no longer required.
Setting the expiry at 185 days (5 days after the object lock expires) ensures the lock has expired before the lifecycle rule attempts deletion. If the two overlap, the lifecycle rule will not be able to delete the still-locked object.
Incident Response — Accessing Archived Logs
When an incident is detected and a CERT-In report must be filed within 6 hours, the log retrieval process must be fast enough to support the investigation.
For incidents where the time range is known, retrieve all relevant logs using the AWS CLI:
For incidents where the time range is unknown, use a log search tool that can query IBEE-hosted logs without downloading the full archive. Tools like OpenSearch (with S3 snapshot integration) or Athena-compatible query engines (DuckDB with S3 access) can run SQL queries against compressed log files in IBEE directly.
DPDP Act Data Processing Records
India's Digital Personal Data Protection Act, 2023 requires data fiduciaries to maintain records of data processing activities involving personal data. These records — what data was processed, when, by which system, for what purpose — are distinct from operational logs but require similar retention and India-sovereign storage.
Store DPDP processing records as structured JSON objects in a dedicated IBEE bucket, with object lock applied at an appropriate retention period (at minimum the duration of the data processing relationship plus a defined post-processing window). Each record should include: the data principal's identifier (in pseudonymised form), the category of personal data processed, the processing purpose, the system or service that processed it, and the timestamp.
These records are the technical evidence of lawful processing if a data principal exercises their rights under DPDP Act — or if a regulatory authority investigates.
