AWS CloudTrail Trail Deletion Detected
Detection of AWS CloudTrail trail deletion via the DeleteTrail API indicates potential defense evasion and destruction of audit logging.
This threat brief focuses on the detection of the DeleteTrail API call within AWS CloudTrail logs. The deletion of a CloudTrail trail is a significant event, as it impairs an organization's ability to monitor and audit activities within its AWS environment. This action is often associated with threat actors attempting to evade detection or cover their tracks after performing unauthorized activities. The rule from Elastic was last updated on April 10, 2026, and it is crucial for defenders to monitor for this activity, investigate any occurrences promptly, and ensure that logging is restored to maintain visibility and compliance. This is especially critical in organizations that rely on CloudTrail for security monitoring and compliance purposes.
Attack Chain
- An attacker gains unauthorized access to an AWS account, potentially through compromised credentials or exploiting a vulnerability.
- The attacker identifies the active CloudTrail trails in the AWS environment.
- The attacker uses the AWS CLI or API to call the
StopLoggingAPI on the targeted CloudTrail trail(s) to cease log collection. - The attacker invokes the
DeleteTrailAPI, specifying the name or ARN of the CloudTrail trail to be deleted. - AWS CloudTrail records the
DeleteTrailevent with anevent.outcomeof "success". - The CloudTrail trail is removed, and logging ceases, preventing further activity from being recorded in that trail.
- The attacker performs other malicious actions within the AWS environment (e.g., modifying IAM policies, launching EC2 instances, or accessing S3 buckets) without those actions being logged.
Impact
Successful deletion of CloudTrail trails can lead to a significant loss of visibility into an AWS environment. Without CloudTrail logs, organizations are unable to detect and respond to security incidents effectively, hindering forensic investigations and compliance efforts. This can result in delayed detection of breaches, increased dwell time for attackers, and potentially severe data loss or system compromise. The impact is especially high in regulated industries where maintaining a comprehensive audit trail is a requirement.
Recommendation
- Deploy the Sigma rule
AWS CloudTrail Trail Deletedto your SIEM, and tune it based on your environment. - Investigate any alerts generated by the
AWS CloudTrail Trail DeletedSigma rule, focusing on the user identity (aws.cloudtrail.user_identity.arn), source IP (source.ip), and affected trail (aws.cloudtrail.request_parameters). - Restrict
cloudtrail:DeleteTrailpermissions using IAM policies to limit who can delete trails. - Implement AWS Config rules or Service Control Policies (SCPs) to prevent unauthorized trail deletions.
- Monitor CloudWatch logs for CloudTrail events to ensure logging integrity.
Detection coverage 2
AWS CloudTrail Trail Deleted
mediumDetects deletion of an AWS CloudTrail trail via the DeleteTrail API.
AWS CloudTrail StopLogging API Call
mediumDetects calls to the StopLogging API which stops CloudTrail logging.
Detection queries are available on the platform. Get full rules →