API cookbook
Export the audit log to S3 for long-term retention
Configure audit-log export, validate signatures and chain hashes externally, retain in S3 with object-lock for tamper-evidence.
advancedBash · S3
Business and Enterprise tiers support automated export. Configure the export target (S3 bucket, IAM role) in the admin console. Exports run nightly with a configurable retention window.
# Sample export verification on receipt
aws s3 cp s3://your-audit-bucket/2026/05/03/audit.jsonl.gz - | gunzip | \
ratestack-audit-verify --pubkey "${RATESTACK_AUDIT_PUBKEY}"
# Reads each row, verifies signature, recomputes hash chain
# Exits non-zero on any verification failure
# S3 object lock for tamper-evidence at the storage layer
aws s3api put-object-retention \
--bucket your-audit-bucket \
--key 2026/05/03/audit.jsonl.gz \
--retention 'Mode=COMPLIANCE,RetainUntilDate=2034-05-03T00:00:00Z'