# CloudTrail Tampering

## Overview

Almost everything in AWS is an API call under the hood and can be logged by CloudTrail making it difficult for attackers to stay hidden. Trails are Regional resources and can be individually enabled for an AWS account or set up via AWS Organizations for all accounts and/or Regions in the Organization. Therefore, if logging can be disabled or otherwise compromised, an attacker can better stay hidden.&#x20;

{% hint style="warning" %}
CloudTrail **Management Events** always stay enabled regardless of the techniques below and record control-plane related events from the past 90 days.&#x20;
{% endhint %}

{% hint style="info" %}
For defenders, review the actions below and restrict them e.g., via a Service Control Policy (SCP).
{% endhint %}

## Tampering

### Service

| Action                         | Description                                                                                                                      |
| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- |
| `cloudtrail:DeleteTrail`       | Deletes the CloudTrail trail entirely, stopping all logging and visibility into account activity.                                |
| `cloudtrail:PutEventSelectors` | Modifies Event Selectors or Advanced Event Selectors, changing what data the trail captures and potentially reducing visibility. |
| `cloudtrail:StopLogging`       | Stops logging for the trail, disabling the recording of account activity.                                                        |
| `cloudtrail:UpdateTrail`       | Alters trail configuration, which can weaken logging, change destinations, or reduce coverage of events.                         |

### Related Resources

#### S3 Bucket

Since CloudTrail logs are stored in an S3 bucket, an attacker can delete or modify the bucket.

| Action                            | Description                                                                                |
| --------------------------------- | ------------------------------------------------------------------------------------------ |
| `s3api:DeleteObject`              | Deletes objects in the bucket where logs are stored, effectively removing historical logs. |
| `s3api:DeleteBucket`              | Deletes the bucket containing logs, preventing storage of future logs.                     |
| `s3api:PutBucketPolicy`           | Updates the bucket policy to block the service from writing logs.                          |
| `s3api:PutLifecycleConfiguration` | Changes the bucket lifecycle to automatically delete logs, reducing historical visibility. |

#### IAM Role

CloudTrail relies on a service-linked IAM Role, `AWSServiceRoleForCloudTrail`

* The role is only assumable by the CloudTrail service and you [cannot modify the trust policy of a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-trust-policy.html#:~:text=You%20cannot%20modify%20the%20trust%20policy)

| Action           | Description                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `iam:DeleteRole` | Deleting the role would cause loss of logging. \*\* This cannot be deleted unless [all related CloudTrail resources are also deleted first](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/using-service-linked-roles-create-slr-for-org-trails.html#:~:text=To%20do%20this%2C%20you%20must%20first%20manually%20clean%20up%20the%20resources%20for%20your%20service%2Dlinked%20role%2C%20and%20then%20you%20can%20manually%20delete%20it). |

#### SNS Topic

CloudTrail can have an SNS topic for message delivery, an attacker can delete or modify the topic.

| Action            | Description                                       |
| ----------------- | ------------------------------------------------- |
| `sns:DeleteTopic` | Deleting the SNS topic may disrupt detections.    |
| `sns:Unsubscribe` | Unsubscribing from alerts may disrupt detections. |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.techwithtyler.dev/cloud-security/aws/aws-offensive-security/aws-defense-evasion/cloudtrail-tampering.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.