CloudTrail Tampering
Techniques for avoiding CloudTrail detection
Overview
Almost everything in AWS is an API call under the hood and can be logged by CloudTrail making it difficult for attackers to stay hidden. Trails are Regional resources and can be individually enabled for an AWS account or set up via AWS Organizations for all accounts and/or Regions in the Organization. Therefore, if logging can be disabled or otherwise compromised, an attacker can better stay hidden.
CloudTrail Management Events always stay enabled regardless of the techniques below and record control-plane related events from the past 90 days.
For defenders, review the actions below and restrict them e.g., via a Service Control Policy (SCP).
Tampering
Service
cloudtrail:DeleteTrail
Deletes the CloudTrail trail entirely, stopping all logging and visibility into account activity.
cloudtrail:PutEventSelectors
Modifies Event Selectors or Advanced Event Selectors, changing what data the trail captures and potentially reducing visibility.
cloudtrail:StopLogging
Stops logging for the trail, disabling the recording of account activity.
cloudtrail:UpdateTrail
Alters trail configuration, which can weaken logging, change destinations, or reduce coverage of events.
Related Resources
S3 Bucket
Since CloudTrail logs are stored in an S3 bucket, an attacker can delete or modify the bucket.
s3api:DeleteObject
Deletes objects in the bucket where logs are stored, effectively removing historical logs.
s3api:DeleteBucket
Deletes the bucket containing logs, preventing storage of future logs.
s3api:PutBucketPolicy
Updates the bucket policy to block the service from writing logs.
s3api:PutLifecycleConfiguration
Changes the bucket lifecycle to automatically delete logs, reducing historical visibility.
IAM Role
CloudTrail relies on a service-linked IAM Role, AWSServiceRoleForCloudTrail
The role is only assumable by the CloudTrail service and you cannot modify the trust policy of a service-linked role
iam:DeleteRole
Deleting the role would cause loss of logging. ** This cannot be deleted unless all related CloudTrail resources are also deleted first.
SNS Topic
CloudTrail can have an SNS topic for message delivery, an attacker can delete or modify the topic.
sns:DeleteTopic
Deleting the SNS topic may disrupt detections.
sns:Unsubscribe
Unsubscribing from alerts may disrupt detections.
Last updated