Non-human identity: what it means for your audit trail (on AWS)

In an ideal world every automated job, CI runner, or server‑to‑server script that touches AWS resources leaves an immutable audit trail that ties the action back to a distinct identity. Security teams can answer who ran a query, which pod updated a secret, and exactly when a change occurred without hunting through logs or guessing which credential was used.

Most organizations fall short of that ideal. They create a single IAM role for all build pipelines, store its access key in a shared secret store, and hand the key to dozens of services. The role has broad permissions, and the key is checked into repositories or copied between environments. When a pipeline fails or a rogue container is compromised, there is no way to tell which component performed the offending call because the same credential was used everywhere. The audit trail ends up a flat list of API calls with no attribution to the originating non‑human entity.

Non‑human identity, service accounts, CI tokens, or machine identities, was introduced to give each automated actor a unique principal. That change makes it possible to grant the minimum set of permissions needed for a specific job. However, simply issuing a distinct token does not automatically create a useful audit trail. The request still travels directly from the service to the AWS control plane. Without a control point that records the request, masks sensitive response fields, or requires an approval for risky operations, the audit trail remains incomplete and the organization cannot enforce policy at the moment of access.

Why the audit trail still breaks

The core problem is the lack of a data‑path enforcement layer. The setup, OIDC providers, federated identities, and least‑privilege IAM policies, decides who the request is and whether it may start. It is necessary, but it does not guarantee visibility or protection. When a service account calls the AWS API, the call bypasses any intermediate guardrails. The request reaches the target directly, and the only evidence collected is whatever AWS CloudTrail records, which often lacks context such as the originating host, the exact command line, or masked payloads.

Because the enforcement point is missing, the organization cannot:

Capture a full audit trail that includes request metadata beyond what CloudTrail provides.
Apply inline masking to prevent secrets from appearing in logs.
Require just‑in‑time approval for privileged actions like deleting a production database.
Block dangerous commands before they reach the service.

All of these capabilities must live in the data path, where the request can be inspected and controlled.

Introducing a gateway in the data path

To close the gap, organizations need an identity‑aware proxy that sits between non‑human identities and AWS services. That proxy must verify the token, enforce policy, record every interaction, and forward only approved traffic. hoop.dev provides exactly that architectural layer.

Continue reading? Get the full guide.

Non-Human Identity Management + Audit Trail Requirements: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

The setup remains unchanged: you still define service accounts in your OIDC provider, assign them the minimal IAM policies they need, and configure federation. hoop.dev consumes those tokens to decide who the request is, but the enforcement never happens in the token‑issuing system.

The data path is now the gateway itself. hoop.dev receives the request, inspects the wire‑protocol, and applies the configured guardrails before any traffic reaches the AWS endpoint. Because hoop.dev is the only place where the request can be altered or blocked, all enforcement outcomes are guaranteed to be applied.

Enforcement outcomes that secure the audit trail

hoop.dev records each session, creating a complete audit trail that includes the caller identity, timestamp, command, and response metadata. It masks sensitive fields in responses so that secrets never appear in downstream logs. It can pause a high‑risk operation and route it to a human approver, ensuring that privileged actions are reviewed before execution. It also blocks commands that match a deny list, preventing accidental or malicious damage.

Because hoop.dev sits in the data path, every enforcement outcome is tied to the original non‑human identity. Security teams can query the audit trail to see exactly which service account performed a change, what was approved, and what was masked. The evidence generated by hoop.dev can be used to meet many compliance requirements that call for fine‑grained, immutable audit records for automated processes. Teams can map the recorded sessions to their audit policies, making it straightforward to demonstrate proper controls during assessments.

Getting started

Deploy the gateway using the official Docker Compose quick‑start, configure your OIDC provider, and register each AWS resource you want to protect. Detailed steps are available in the getting‑started guide. The learn section explains how to define policies for masking, approvals, and command blocking.

FAQ

Do I need to change my existing IAM roles?

No. hoop.dev works with the roles you already have. It simply adds a proxy layer that enforces policy and records the audit trail.

Will this add latency to my API calls?

The gateway adds a minimal amount of processing time for inspection and logging. In most environments the impact is negligible compared to the security benefits.

Can I use hoop.dev with other cloud providers?

hoop.dev supports a range of connectors beyond AWS, including databases, Kubernetes, and SSH. The same architectural principles apply across all supported targets.

Explore the source code and contribute on GitHub.