CloudAgent gives you AI agents that manage your cloud infrastructure. They handle tasks like security compliance, cost optimization, deployments, and monitoring. You remain in control as agents show you their plans, wait for your approval, then execute. Think of it as having a cloud operations team that works 24/7 without needing to hire an army of cloud experts.

How can AI agents be trusted with production cloud infrastructure?

You stay in control through approval workflows where every infrastructure change can require human approval before execution, custom security controls with granular access rules, complete audit trails of every action, self-hosted deployment options, and progressive trust models starting with read-only access.

How does it actually reduce costs?

CloudAgent agents delete unused resources, schedule non-production shutdowns, right-size infrastructure based on usage patterns, and recommend architectural optimizations. Early customers report 15-40% cost reduction within 90 days. Unlike dashboards, CloudAgent actually fixes the problems.

1. Assessment

Enumerate CloudTrail trails and record validation state
Check logging status and S3 for digest (validation) files
User: select trails and provide constraints/approval

2. Configuration

Enable log file validation on approved trails

3. Validation

Verify validation enabled and digest files are delivered

1 Credits

Enable CloudTrail Log File Validation

Overview

Enable CloudTrail log file validation on your existing trails to detect tampering of delivered logs. This plan will discover and inventory all visible CloudTrail trails, evaluate their readiness (including S3 delivery targets, cross-account concerns, and current validation state), guide you through selecting which trails to modify and any constraints or maintenance windows, perform the safe enablement of log-file validation (honoring concurrency/version tokens and user constraints), and verify that digest (validation) files are being delivered. The process produces machine-readable inventories, change logs, verification evidence, and actionable remediation guidance for any failures.

Execution Details

High-level phases and the main tasks performed in each phase.

Assessment

Enumerate all CloudTrail trails visible in the target account/region (including organization-level trails), handling pagination and recording API metadata (request IDs, timestamps).
For each trail capture essential metadata: TrailName, TrailARN, HomeRegion, owning account ID, IsMultiRegionTrail, IsOrganizationTrail, LoggingEnabled, IsLogFileValidationEnabled (explicit), creation/last-updated timestamps, tags, and any service error/delivery status indicators.
Record delivery targets and access details: S3 bucket name and resolvable ARN, S3KeyPrefix for logs/digests, SNS topic ARN, trail role ARN and assume-role metadata.
Capture event/insight selectors and settings that affect object layout (IncludeGlobalServiceEvents, InsightSelectors, EventSelectors/AdvancedEventSelectors, DataResource selectors).
Detect and enumerate blockers or special-handling needs (examples: organization-level approvals required, LoggingEnabled==false, missing or unwritable S3 bucket, absent trail role, governance tags that forbid changes, explicit deny statements).
Produce a structured inventory entry per trail that includes readiness boolean, explicit blockers list, raw API excerpts where permitted, and API metadata for concurrency/version checks.
Summarize metrics (totals: discovered trails, already validated, logging-disabled, org trails, unresolved buckets, flagged for manual review) and persist inventory and raw responses for audit and downstream steps.

Check logging status and digest presence

For every trail in the inventory, confirm current LoggingEnabled state and capture service responses and timestamps.
Resolve S3 bucket and prefix for each trail (record failures where bucket is unresolved).
List objects under the trail’s prefix and known CloudTrail digest paths to detect existing digest files; record matching logic used.
For detected digest objects capture object key, last modified time, size, storage class, and server-side encryption metadata.
Determine recency against a configurable window (default example: last 7 days) and flag recent vs. stale digest evidence.
Record access anomalies for cross-account buckets (AccessDenied, NoSuchBucket, etc.) including API error details and request IDs.
If validation is enabled but no digest files are present, record the discrepancy and gather historical object metadata where available.
Produce per-trail machine-readable reports summarizing LoggingEnabled, IsLogFileValidationEnabled, S3 details, sample digest objects with metadata, recency flags, and access anomalies; supply summary counts across trails.

User selection and approval

Deliver the consolidated inventory and per-trail reports to you so you can make informed choices.
Guide you to select exact TrailARNs authorized for modification and collect any preferred ordering of changes.
Collect per-trail constraints and approvals: whether enabling validation is allowed only when LoggingEnabled==true (or whether the agent may enable logging first), whether to skip cross-account buckets, explicit exclusions, and fallback behavior if enabling validation fails.
Capture operational preferences: change windows/maintenance windows, blackout windows, requirement for post-change digest verification, retry behavior for transient failures, and escalation/contact info.
Require acceptance of impacts and risk acknowledgement (brief interruption risk, S3 access needs, audit trail).
Produce an explicit machine-readable approval record including approver identity, timestamp, approved TrailARNs, constraints, and any conditional approvals.

Configuration (enable validation)

For each approved trail, confirm it still appears in the inventory and that readiness matches the user’s allowances; flag inventory drift if present.
Re-verify LoggingEnabled; if LoggingEnabled==false and user approval allows, prepare to enable logging and record prior state for audit.
Obtain and use any concurrency/version tokens (ETag or service-provided tokens) to avoid overwriting concurrent updates; record tokens used.
Prepare update payloads to set the log-file validation flag to enabled, documenting prior values for audit and ensuring complementary fields are preserved per user constraints.
If required by sequence or user preference, enable logging first and confirm LoggingEnabled==true before enabling validation.
Apply updates to enable log-file validation, capturing service responses, request IDs, timestamps, and full response bodies for auditing.
Log a detailed change entry per trail: TrailARN, previous/new validation state, whether logging was changed, API request IDs/timestamps, and concurrency tokens used.
On failures capture full error details, mark trail as failed, include recommended next steps, and continue with other approved trails unless stop-on-error was requested.
After each update re-fetch the trail configuration to confirm the intended state persisted and attach confirmation responses to the change log.
Produce a machine-readable change-result summary per trail recording outcome, prior/new settings, logging changes performed, and any error details.

Validation (post-change verification)

For every trail updated, re-retrieve CloudTrail configuration and confirm IsLogFileValidationEnabled==true, capturing API responses and metadata.
Resolve S3 bucket/prefix and list objects created after the change time to detect new digest files; capture sample object keys, timestamps, sizes, and SSE/KMS metadata.
Verify at least one digest object exists that was created after the change (or verify recent digest presence if validation was previously active), and document how recency was determined.
If S3 listings fail due to permissions, capture exact error messages and request IDs and provide explicit remediation steps (bucket policy updates, contact bucket owner, etc.) and mark trail for manual follow-up.
If validation is enabled but no digest files are observed within the expected window, flag for investigation and include likely causes and next steps.
Produce a final machine-readable verification report per trail containing: TrailARN, final validation state, digest evidence (object metadata), API call IDs/timestamps, cross-reference to the change-result, and status (Verified / Needs Manual Remediation).
For trails needing manual remediation, include concrete corrective recommendations (re-check logging, inspect bucket policy/permissions, contact bucket owner, re-run enablement, or open support ticket) and attach the relevant API evidence.

Outputs and audit evidence

Persisted structured inventory and raw API responses for auditing and concurrency checks.
Per-trail reports for digest detection and access anomalies.
Machine-readable approval record capturing all user constraints and consent.
Detailed change logs with API request/response evidence and version tokens used.
Final verification report per trail with digest evidence and remediation guidance.
Summary metrics: counts of discovered trails, validated trails, logging-disabled trails, org-level trails, unresolved buckets, and trails needing manual review.

Safety and operational notes

The flow emphasizes non-destructive checks first, explicit approvals before changes, use of concurrency/version tokens to prevent race conditions, and capturing comprehensive request/response evidence for auditability.
Cross-account buckets and organization-level trails may require coordination with bucket owners or org admins; such blockers are surfaced during assessment and must typically be resolved before automated changes proceed.
Where users permit, the plan can enable logging prior to enabling validation, but this is only done under explicit approval and with prior-state recording for rollback or audit.