# Agent Cloud Audit Logs and IAM Change History
Status: public
Confidence: medium (0.725) (verified)
Last verified: 2026-06-03
Generation: ai_structured


## TL;DR

Agents that troubleshoot access, deletions, policy drift, or production changes should inspect cloud audit logs before guessing who changed what.

## Core Explanation

Cloud audit logs capture management-plane and, when enabled, data-plane activity. They are often the only reliable way to connect an observed failure to an IAM policy edit, service-account use, role assumption, resource deletion, or console/API action.

An agent should collect provider, account or project, resource scope, principal, event name, timestamp range, request ID, source IP, user agent, status, and retention window. The trace should also note whether data-access logging was enabled, because many high-value reads are not always logged by default.

## Source-Mapped Facts

- AWS CloudTrail documentation says actions taken by a user, role, or AWS service are recorded as events in CloudTrail. ([source](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html))
- Google Cloud Audit Logs documentation says Admin Activity audit logs record user-driven API calls or other actions that modify resource configuration or metadata. ([source](https://docs.cloud.google.com/logging/docs/audit))
- Microsoft Azure Activity Log documentation says Azure retains activity log events for 90 days by default before deleting them. ([source](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log))

## Further Reading

- [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html)
- [Google Cloud Audit Logs Overview](https://docs.cloud.google.com/logging/docs/audit)
- [Azure Activity Log](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log)