Skip to content
Threat Feed
medium advisory

AWS CloudTrail Logging Evasion via Oversized IAM Policies

Attackers evade AWS CloudTrail logging by padding IAM policy documents with whitespace, exceeding logging size limits and obscuring unauthorized changes to IAM policies.

This brief addresses a defense evasion technique targeting AWS CloudTrail logging. Specifically, attackers can manipulate IAM policy documents by adding excessive whitespace (spaces, tabs, line breaks) to inflate their size beyond CloudTrail's logging limits (102,401 to 131,072 characters). When these oversized policies are created, modified, or attached via IAM API calls, CloudTrail omits the full policy content and logs "requestParameters too large" instead, thus creating a blind spot for security monitoring. This evasion allows threat actors to make unauthorized changes to IAM permissions without detailed logging, potentially leading to privilege escalation, data exfiltration, or other malicious activities. This technique impacts organizations relying on CloudTrail for auditing and compliance.

Attack Chain

  1. An attacker gains initial access to an AWS account, potentially through compromised credentials or an exploited vulnerability.
  2. The attacker identifies an IAM role or user whose permissions they want to modify.
  3. The attacker crafts a malicious IAM policy granting the desired permissions (e.g., broader access to S3 buckets, EC2 instances, or other AWS resources).
  4. Before applying the policy, the attacker pads the policy document with significant whitespace to increase its size beyond CloudTrail's logging threshold.
  5. The attacker uses IAM API calls (e.g., CreatePolicy, PutRolePolicy, AttachRolePolicy) to apply the oversized policy to the target IAM role or user.
  6. CloudTrail logs the API call but omits the full policy content due to its excessive size, recording "requestParameters too large" and omitted: true.
  7. The attacker leverages the newly granted permissions to perform unauthorized actions within the AWS environment.
  8. Because the full policy change was not logged, security monitoring systems relying on CloudTrail may not detect the malicious activity, allowing the attacker to persist and achieve their objectives.

Impact

Successful exploitation of this technique allows attackers to bypass CloudTrail logging, obscuring unauthorized IAM permission changes. Organizations relying on CloudTrail for auditing and compliance may fail to detect malicious activity, potentially leading to privilege escalation, data exfiltration, or other detrimental impacts. The lack of complete logging hinders incident response and forensic investigations, increasing the dwell time of attackers within the AWS environment.

Recommendation

  • Deploy the Sigma rule "AWS CloudTrail IAM Policy Logging Evasion" to detect IAM API calls where requestParameters.reason is "requestParameters too large" and requestParameters.omitted is true (rule).
  • Enable AWS CloudTrail logging in all regions and ensure log integrity by enabling CloudTrail log file validation.
  • Investigate any alerts generated by the Sigma rule by examining the user, source IP, and affected IAM resources. Review associated AWS Config configurations for changes to IAM policies.
  • Implement compensating controls, such as periodic reviews of IAM policies, to identify and remediate overly permissive permissions.
  • Monitor for unexpected API calls associated with the user account during the past 48 hours to uncover related malicious activity.

Detection coverage 2

AWS CloudTrail IAM Policy Logging Evasion

medium

Detects IAM API calls with oversized request parameters indicating potential logging evasion.

sigma tactics: defense_evasion techniques: T1562.008 sources: cloudtrail, aws

AWS CloudTrail Large Request Parameter Volume

low

Detects a high volume of CloudTrail events with large request parameters, potentially indicating an attempt to flood logging.

sigma tactics: defense_evasion techniques: T1562.008 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →