All posts
June 15, 20263 min read

Audit logging for AI agents on AWS

Audit logging for AI agents on AWS tends to fail in the same few places, and all of them surface at the worst time: during an incident, when you reach for the log and find it cannot answer the question. Start with the mistakes, because the correct design is mostly the result of refusing to make them. The mistakes that bite first * The log lives where the agent can reach it. If audit logging writes to a destination the agent can edit or delete, a compromised agent can erase its own tracks. Th

Free White Paper

K8s Audit Logging + AI Audit Trails: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Audit logging for AI agents on AWS tends to fail in the same few places, and all of them surface at the worst time: during an incident, when you reach for the log and find it cannot answer the question. Start with the mistakes, because the correct design is mostly the result of refusing to make them.

The mistakes that bite first

  • The log lives where the agent can reach it. If audit logging writes to a destination the agent can edit or delete, a compromised agent can erase its own tracks. The log shares the agent's trust boundary, so it fails exactly when you need it.
  • It logs the role, not the task. CloudTrail shows that a role made a call. It does not show which task or which agent drove it when many share a role. The "who" and "why" go missing.
  • It captures successes, not denials. A log that only records actions that happened, and not the ones that were attempted and blocked, hides the most interesting behavior in an investigation.
  • It records the action, not the access. Knowing an object was read is half the story. Whether the access was granted, scoped, and expired is the other half, and most logs never capture it.

Each mistake has the same root: the log is generated too close to the agent and too far from the access decision.

What correct audit logging looks like

Turn each mistake around and the design appears. The log records the access decision, not only the resulting API call. It attributes every action to a distinct agent identity and the task that requested it. It captures denials alongside successes. And it is written by the layer that brokers access, not by the agent that uses it.

That last point is the architectural one. Audit logging is only as trustworthy as the distance between the logger and the logged. If the agent records itself, the log is a claim. If access runs through a boundary the agent cannot reconfigure, and that boundary writes the log, the log is evidence. hoop.dev is built to sit at that boundary: the agent reaches AWS-hosted infrastructure through a Layer 7 access gateway that connects with its own scoped IAM role, access is granted per task, and each session is recorded outside the agent. The learn pages describe how access and recording fit together, and the getting-started docs cover fronting an AWS-hosted resource.

Where the log has to live

Put the audit log on the far side of the access boundary, in a store the agent has no write path to. Pair it with the access record so a single query returns who was granted what, for how long, what they did, and what they were denied. CloudTrail still has a role as an account-level source, but it sits underneath this, not in place of it.

Continue reading? Get the full guide.

K8s Audit Logging + AI Audit Trails: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

This layering matters because the two sources answer different questions. CloudTrail is strong at "what API activity happened in this account," across every principal, including ones that never go near an agent. The boundary log is strong at "what access did this agent identity request, get, and use for this task." An investigation usually starts with the second and drops to the first for corroboration. Keeping both, with the boundary log outside the agent, means you can move between the account view and the agent view without either one depending on the agent telling the truth about itself.

A quick test

Ask your current setup one question: if an agent were fully compromised right now, could it alter or delete the record of what it did? If yes, your audit logging has the first mistake and the rest barely matter. Move the log outside the agent first.

FAQ

Is CloudTrail enough for audit logging of agents?

CloudTrail is a valuable account-level source, but on its own it logs API calls by role, not the task, identity, and access decision behind them. Pair it with logging at the access boundary.

What is the single most important property of an agent audit log?

That the agent cannot alter it. A log inside the agent's reach fails in precisely the scenario you keep logs for.

hoop.dev is open source. To put audit logging at the access boundary in front of AWS, start with the repository on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot