Audit trails & attestation
Tamper-evident, attested, reusable evidence.
Continuous evidence is powerful, but auditors and downstream teams need to trust it — which raises the question of integrity and attestation. The audit trail and signed evidence are what make automated compliance defensible rather than just plentiful.
The audit trail as the backbone
The centralized, immutable audit trail (CloudTrail, Cloud Audit Logs, the Kubernetes audit log, admission decisions) is the backbone of compliance evidence: it records who did what, when, and whether controls fired. For it to be trustworthy it must be tamper-evident — delivered to a locked, separate store an attacker or careless admin cannot alter, ideally with object-lock/retention — because evidence an insider could edit is not evidence at all. This is the same immutable-logging architecture that underpins detection and incident response; in compliance it additionally serves as the proof that your controls operated over the audit period.
# Evidence is only audit-grade if it is tamper-evident:# - audit logs → separate, locked log-archive account/project# - object-lock / retention → write-once, cannot be deleted or edited# - log-file validation / hashing → tampering is detectable## Attest a compliance evaluation so downstream trusts it without re-running:# sign the "verified vs policy X at level Y" result (a VSA-style attestation)# → auditors and other teams trust the decision, checkable by signature.
Attestation and reuse
Beyond raw logs, you can attest compliance decisions — sign a record that "this system/artifact was evaluated against control set X and passed" — so downstream consumers (an auditor, another team, a customer’s security questionnaire) can trust the result without re-deriving it, the same verify-once-trust-downstream pattern used in supply-chain security. Combined with the mapping from checks to control IDs and the immutable trail beneath it, attestation turns a stream of automated evaluations into a coherent, defensible compliance story: controls that enforce themselves, evidence them tamper-evidently, and attest the result. That is the full arc of compliance as code — the enforcement and the proof are the same automated system.