Manage the Claude Compliance Collector

Procedure

• To view run logs, run the following CloudWatch Logs Insights query, replacing the time range as needed:

  LOG_GROUP="/aws/lambda/claude-compliance-collector-process-chat"
  
  aws logs start-query \
    --log-group-name $LOG_GROUP \
    --start-time $(date -d '24 hours ago' +%s) \
    --end-time $(date +%s) \
    --query-string 'fields @timestamp, event, chat_id, chunks_sent, error_class
      | filter window_start = "2026-05-28T00:00:00+00:00"
      | stats count() as count by event'

• To manually trigger a scan for a missed time window, run the following commands, replacing the timestamp with a time inside your target window:

  LAMBDA_FN=$(aws cloudformation describe-stack-resource \
    --stack-name claude-compliance-collector \
    --logical-resource-id ListActivitiesFunction \
    --query 'StackResourceDetail.PhysicalResourceId' \
    --output text)
  
  aws lambda invoke \
    --function-name $LAMBDA_FN \
    --cli-binary-format raw-in-base64-out \
    --payload '{"schedule_time":"2026-05-28T04:00:00Z","schedule_timezone":"UTC"}' \
    /dev/stdout

  Important If the specified time window overlaps with a previous or upcoming scheduled run, chats in the overlapping period may be scanned twice.

• To remove the collector and all associated AWS resources, do one of the following:
  • To remove the collector using the AWS Management Console, go to CloudFormation → Stacks in the AWS Management Console, select the claude-compliance-collector stack, and select Delete.
  • To delete the stack using the AWS CLI, use the following command:

    aws cloudformation delete-stack --stack-name claude-compliance-collector
    aws cloudformation wait stack-delete-complete --stack-name claude-compliance-collector

  AWS removes all collector resources. Secrets Manager applies a default 30-day recovery window before permanently deleting stored secrets. During this period, secrets can be recovered.