AWS CloudTrail Log Updated
Adversaries can modify AWS CloudTrail configurations via the UpdateTrail API to reduce logging visibility, change log destinations, or weaken integrity, aiming to evade detection by preventing critical audit information from being collected or stored properly.
What's new
- l1 OS kali linux Jul 15, 14:11 via elastic
Adversaries often seek to impair an organization's ability to monitor their activities, and modifying logging configurations is a key tactic. This threat involves the use of the AWS CloudTrail UpdateTrail API call by malicious actors to alter existing CloudTrail configurations. These modifications can include changing the S3 bucket where logs are stored, redirecting logs to a different CloudWatch Logs log group, modifying the KMS Key ID used for encryption, or disabling critical features like multi-region logging or the inclusion of global service events. The primary goal is to reduce visibility into their actions, weaken logging integrity, and evade detection by security monitoring systems. This technique allows attackers to maintain a facade of logging while preventing crucial audit data from being captured, making it harder for defenders to trace their activities.
Attack Chain
[Attack Chain is omitted as the source only describes a single, specific API action for defense evasion, not a multi-step sequence from initial access to impact.]
Impact
Successful modification of AWS CloudTrail logs can severely degrade an organization's security posture by creating blind spots in audit trails. If an attacker successfully reconfigures CloudTrail, security teams may lose critical visibility into API calls and other events within their AWS environment, especially during a period of active compromise. This lack of logging hinders incident response, forensic analysis, and compliance efforts, potentially allowing attackers to maintain persistence, exfiltrate data, or deploy further malicious payloads undetected. The integrity of past and future audit data is compromised, making it difficult to assess the full scope of a breach or to prove compliance with regulatory requirements.
Recommendation
- Deploy the
AWS CloudTrail Log UpdatedSigma rule to detect any modifications to CloudTrail configurations. - Investigate all alerts from the
AWS CloudTrail Log Updatedrule by examining theaws.cloudtrail.user_identity.arn,user_agent.original, andsource.ipfields to verify if the user identity, user agent, or hostname involved in theUpdateTrailcall is authorized to make such changes. - Review the
aws.cloudtrail.request_parametersfor specific changes toS3BucketName,CloudWatchLogsLogGroupArn,KmsKeyId,IsMultiRegionTrail, orIncludeGlobalServiceEventsto understand the exact nature of the modification. - Correlate
UpdateTrailevents with precedingStopLoggingor subsequentDeleteTrailAPI calls to identify more severe attempts to disable logging entirely. - Harden your AWS environment by constraining
cloudtrail:UpdateTrailpermissions to only authorized roles or users and require approval workflows for any CloudTrail configuration changes. Implement AWS Config rules to monitor for unauthorized modifications to CloudTrail trails.
Detection coverage 1
AWS CloudTrail Log Updated
highDetects updates to an existing CloudTrail trail via UpdateTrail API which may reduce visibility, change destinations, or weaken integrity (e.g., removing global events, moving the S3 destination, or disabling validation). Adversaries can modify trails to evade detection while maintaining a semblance of logging. Validate any configuration change against approved baselines.
Detection queries are available on the platform. Get full rules →