SOC 2 Type II evidence collection: how do you automate log retention proofs across multi-account AWS setups?

We're preparing for our first SOC 2 Type II audit and the evidence collection burden is heavier than expected. Jurisdiction: US, EU Specifically: our auditor wants 12 months of continuous log retention proofs across 8 AWS accounts. We use CloudTrail + CloudWatch Logs, but proving unbroken retention (no gaps, no manual deletions) requires cross-account queries and S3 bucket lifecycle policy screenshots that don't map cleanly to the SOC 2 CC7.2 control. How did your team handle this at scale? Did you go with: - A centralized SIEM (Splunk/Datadog) that aggregates and provides the audit trail? - Custom Lambda functions that snapshot retention configs monthly? - Something like AWS Audit Manager to auto-collect evidence? Curious what worked in practice vs. what sounded good in theory. Any tool recommendations that actually saved hours during the auditor walkthrough?