Skip to main content
For compliance frameworks like SOC 2, HIPAA, and GDPR, organizations need to retain authorization events for extended periods. The @grantex/destinations package provides S3Destination and BigQueryDestination classes that archive events to durable storage for long-term retention and analytics.

Prerequisites

  • The @grantex/destinations package installed:
  • For S3: AWS credentials configured (environment variables, IAM role, or ~/.aws/credentials)
  • For BigQuery: Google Cloud credentials configured (service account key or Application Default Credentials)

Amazon S3

Setup

Configuration Options

How It Works

The S3Destination buffers events and writes them as NDJSON (newline-delimited JSON) files to S3. Each flush produces one object with a timestamped key:
Each line in the file is a complete JSON event:
The S3 destination dynamically imports @aws-sdk/client-s3 at runtime. Install it as a peer dependency: npm install @aws-sdk/client-s3.

IAM Policy

The S3 destination requires s3:PutObject permission. Attach this policy to your IAM role or user:

S3 Lifecycle Policy

Configure an S3 lifecycle policy for cost-effective long-term retention:
This policy:
  • Moves objects to Standard-IA after 30 days
  • Moves to Glacier after 90 days
  • Moves to Deep Archive after 1 year
  • Deletes after 7 years (adjust per your retention requirements)

Querying with Athena

Set up an Athena table to query your archived events with standard SQL:
Example queries:

Google BigQuery

Setup

Configuration Options

How It Works

The BigQueryDestination buffers events and inserts them as rows into a BigQuery table using the streaming insert API. Each event maps to a row with these columns:
The BigQuery destination dynamically imports @google-cloud/bigquery at runtime. Install it as a peer dependency: npm install @google-cloud/bigquery.

Table Schema

Create the BigQuery table before starting the destination:
Partitioning by date and clustering by event_type gives you fast queries and lower costs for time-range and type-filtered queries.

IAM Permissions

The service account needs these BigQuery permissions:
  • bigquery.tables.updateData (for streaming inserts)
  • bigquery.tables.get (to verify table existence)
Grant the BigQuery Data Editor role on the dataset:

Example Queries

Multi-Destination Setup

For comprehensive compliance, send events to both a SIEM (for real-time alerting) and a data warehouse (for long-term retention):
Events are dispatched to all destinations concurrently. A failure in one destination does not block the others.

Compliance Best Practices

Retention Periods

Align your retention periods with your compliance framework:

Immutability

Enable object lock on your S3 bucket to prevent deletion or modification of archived events:

Encryption

  • S3: Enable SSE-S3 or SSE-KMS default encryption on your bucket
  • BigQuery: Data is encrypted at rest by default; use CMEK for additional control

Access Controls

  • Use dedicated IAM roles with least-privilege permissions
  • Enable CloudTrail (AWS) or Audit Logs (GCP) on the archival resources
  • Restrict access to the archival bucket/dataset to compliance and security teams

Completeness Verification

Periodically verify that your archive contains all expected events:
Cross-reference these counts against the Grantex audit log (GET /v1/audit/entries) to confirm no events were lost.

Graceful Shutdown

Ensure buffered events are flushed before your process exits:

Next Steps

Last modified on March 1, 2026