AWS offers object locking, which is similar to a WORM drive (Write Once Read Many). This prevents logs from being deleted. The other approach is to ship logs to another AWS account.
Thanks. I was a bit puzzled earlier why AWS was so insistent about enabling object locking, my specific use case doesn't profit from remote versioning at all. But I can see how this would mitigate log integrity concerns. I'll definitely enable it for that.
https://aws.amazon.com/blogs/storage/protecting-data-with-am...