{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/identity-and-access-management-iam/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CloudTrail","Identity and Access Management (IAM)"],"_cs_severities":["medium"],"_cs_tags":["cloudtrail","aws","iam","defense-evasion","cloud"],"_cs_type":"advisory","_cs_vendors":["Amazon Web Services"],"content_html":"\u003cp\u003eThis brief addresses a defense evasion technique targeting AWS CloudTrail logging. Specifically, attackers can manipulate IAM policy documents by adding excessive whitespace (spaces, tabs, line breaks) to inflate their size beyond CloudTrail's logging limits (102,401 to 131,072 characters). When these oversized policies are created, modified, or attached via IAM API calls, CloudTrail omits the full policy content and logs \u0026quot;requestParameters too large\u0026quot; instead, thus creating a blind spot for security monitoring. This evasion allows threat actors to make unauthorized changes to IAM permissions without detailed logging, potentially leading to privilege escalation, data exfiltration, or other malicious activities. This technique impacts organizations relying on CloudTrail for auditing and compliance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an AWS account, potentially through compromised credentials or an exploited vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies an IAM role or user whose permissions they want to modify.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious IAM policy granting the desired permissions (e.g., broader access to S3 buckets, EC2 instances, or other AWS resources).\u003c/li\u003e\n\u003cli\u003eBefore applying the policy, the attacker pads the policy document with significant whitespace to increase its size beyond CloudTrail's logging threshold.\u003c/li\u003e\n\u003cli\u003eThe attacker uses IAM API calls (e.g., \u003ccode\u003eCreatePolicy\u003c/code\u003e, \u003ccode\u003ePutRolePolicy\u003c/code\u003e, \u003ccode\u003eAttachRolePolicy\u003c/code\u003e) to apply the oversized policy to the target IAM role or user.\u003c/li\u003e\n\u003cli\u003eCloudTrail logs the API call but omits the full policy content due to its excessive size, recording \u0026quot;requestParameters too large\u0026quot; and \u003ccode\u003eomitted: true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly granted permissions to perform unauthorized actions within the AWS environment.\u003c/li\u003e\n\u003cli\u003eBecause the full policy change was not logged, security monitoring systems relying on CloudTrail may not detect the malicious activity, allowing the attacker to persist and achieve their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique allows attackers to bypass CloudTrail logging, obscuring unauthorized IAM permission changes. Organizations relying on CloudTrail for auditing and compliance may fail to detect malicious activity, potentially leading to privilege escalation, data exfiltration, or other detrimental impacts. The lack of complete logging hinders incident response and forensic investigations, increasing the dwell time of attackers within the AWS environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;AWS CloudTrail IAM Policy Logging Evasion\u0026quot; to detect IAM API calls where \u003ccode\u003erequestParameters.reason\u003c/code\u003e is \u0026quot;requestParameters too large\u0026quot; and \u003ccode\u003erequestParameters.omitted\u003c/code\u003e is true (rule).\u003c/li\u003e\n\u003cli\u003eEnable AWS CloudTrail logging in all regions and ensure log integrity by enabling CloudTrail log file validation.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the user, source IP, and affected IAM resources. Review associated AWS Config configurations for changes to IAM policies.\u003c/li\u003e\n\u003cli\u003eImplement compensating controls, such as periodic reviews of IAM policies, to identify and remediate overly permissive permissions.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected API calls associated with the user account during the past 48 hours to uncover related malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-cloudtrail-logging-evasion/","summary":"Attackers evade AWS CloudTrail logging by padding IAM policy documents with whitespace, exceeding logging size limits and obscuring unauthorized changes to IAM policies.","title":"AWS CloudTrail Logging Evasion via Oversized IAM Policies","url":"https://feed.craftedsignal.io/briefs/2024-01-02-cloudtrail-logging-evasion/"}],"language":"en","title":"CraftedSignal Threat Feed - Identity and Access Management (IAM)","version":"https://jsonfeed.org/version/1.1"}