CoursesCompliance as codeEvidence & continuous audit

Audit trails & attestation

Tamper-evident, attested, reusable evidence.

Expert30 min · lesson 9 of 15

Continuous evidence is powerful, but auditors and downstream teams need to trust it — which raises the question of integrity and attestation. The audit trail and signed evidence are what make automated compliance defensible rather than just plentiful.

The audit trail as the backbone

The centralized, immutable audit trail (CloudTrail, Cloud Audit Logs, the Kubernetes audit log, admission decisions) is the backbone of compliance evidence: it records who did what, when, and whether controls fired. For it to be trustworthy it must be tamper-evident — delivered to a locked, separate store an attacker or careless admin cannot alter, ideally with object-lock/retention — because evidence an insider could edit is not evidence at all. This is the same immutable-logging architecture that underpins detection and incident response; in compliance it additionally serves as the proof that your controls operated over the audit period.

evidence integrity, not just quantity
# Evidence is only audit-grade if it is tamper-evident:
# - audit logs → separate, locked log-archive account/project
# - object-lock / retention → write-once, cannot be deleted or edited
# - log-file validation / hashing → tampering is detectable
#
# Attest a compliance evaluation so downstream trusts it without re-running:
# sign the "verified vs policy X at level Y" result (a VSA-style attestation)
# → auditors and other teams trust the decision, checkable by signature.

Attestation and reuse

Beyond raw logs, you can attest compliance decisions — sign a record that "this system/artifact was evaluated against control set X and passed" — so downstream consumers (an auditor, another team, a customer’s security questionnaire) can trust the result without re-deriving it, the same verify-once-trust-downstream pattern used in supply-chain security. Combined with the mapping from checks to control IDs and the immutable trail beneath it, attestation turns a stream of automated evaluations into a coherent, defensible compliance story: controls that enforce themselves, evidence them tamper-evidently, and attest the result. That is the full arc of compliance as code — the enforcement and the proof are the same automated system.

Trustworthy compliance evidence
the trail
immutable, centralized logs
who did what, controls firing
object-lock + validation
tamper-evident
make it reusable
map to control IDs
traceable to requirements
attest decisions (signed)
trust without re-running
Enforcement, tamper-evident evidence, and attested results are one system — the enforcement is the proof.
Editable evidence is not evidence
Compliance evidence that a privileged user could alter or delete — logs in the same account as the workloads, mutable storage — cannot be trusted by an auditor and can be erased by an attacker. Store evidence immutably in a segregated location and, where it matters, attest results with signatures so their integrity is provable, not assumed.