Not affiliated with AWS
← Back to Attack Library

CloudTrail Logging Disruption

critical

Defense Evasion

An attacker disables, deletes, or manipulates CloudTrail trails to blind defenders and hide subsequent attack activity.

Required Permissions

cloudtrail:DeleteTrailcloudtrail:StopLoggingcloudtrail:UpdateTrails3:DeleteBuckets3:PutBucketPolicykms:CreateKeykms:DisableKey

Description

CloudTrail is the primary audit log for AWS API activity. Disrupting it is often one of the first actions an attacker takes after gaining privileged access, as it blinds defenders to all subsequent activity.

Multiple disruption techniques exist, each with different stealth characteristics:

- **Direct trail deletion** — aws cloudtrail delete-trail removes the trail entirely. Obvious but effective. - **Stopping logging** — aws cloudtrail stop-logging pauses log collection without deleting the trail configuration. - **Multi-region disabling** — aws cloudtrail update-trail --no-is-multi-region-trail --no-include-global-service-events limits logging to only the home region, creating blind spots. - **S3 bucket manipulation** — Redirecting the trail to a different S3 bucket, deleting the log bucket, modifying bucket policies to deny CloudTrail writes, or adding lifecycle rules to auto-delete log objects. - **KMS key disruption** — Creating an encryption-only KMS key (no decrypt permissions), applying it to the trail, then disabling or scheduling deletion of the key. Existing logs become unreadable and new logs cannot be written. - **Lambda-based auto-deletion** — Deploying a Lambda function triggered by S3 object creation that automatically deletes new log files as they arrive.

The most sophisticated attackers combine multiple techniques — for example, redirecting the trail to an attacker-controlled bucket while simultaneously manipulating the KMS key, making both detection and forensic recovery extremely difficult.

Impact

Complete loss of audit visibility. All subsequent attacker activity becomes invisible to CloudTrail-based detection and incident response.

Detection

Monitor CloudTrail itself for StopLogging, DeleteTrail, and UpdateTrail API calls. Set up CloudWatch alarms on trail status changes. Use AWS Config rules to detect non-compliant trail configurations. Monitor S3 bucket policy changes on log buckets.

Mitigation

Use SCPs to deny cloudtrail:StopLogging, cloudtrail:DeleteTrail, and cloudtrail:UpdateTrail from all principals except a dedicated security account. Enable Organization trails managed from the management account. Use S3 Object Lock to prevent log deletion. Send logs to a separate security account.

Related Techniques

Create IAM Policy Version

An attacker with iam:CreatePolicyVersion can create a new version of an existing managed policy with admin permissions and set it as the default.

Lambda Event-Driven Persistence

An attacker deploys Lambda functions triggered by CloudWatch Events to automatically backdoor newly created IAM users, roles, or security groups.