When a security incident breaks out, the first question you ask is "who did what, when." Did the intruder create an IAM user? Change an S3 bucket to public? Open a security group to 0.0.0.0/0? If you can't reconstruct this precisely, incident response falls into the realm of guesswork. But there's an even scarier scenario: after hijacking permissions, the intruder erases the logs of their own actions. If an audit log can be modified or deleted by the actor themselves, that log loses its evidentiary value in court and in post-incident analysis alike. So the most important design goal of an audit logging system isn't "record" — it's "make it so that no one — not even root — can alter the records after the fact."