Cloud Logging Services Abused for Defense Evasion and Attacker Visibility
Attackers exploit AWS CloudTrail and Google Cloud Logging misconfigurations to disable logging, delete logs, and establish persistent visibility while evading detection.
Attack Brief
TargetAWS CloudTrail, Google Cloud Logging, Amazon S3VectorAbuse of cloud logging service permissions to disable trails/sinks, delete log storage, manipulate encryption keys, and exfiltrate logs to attacker-controlled accounts
Technical Details
MITRE ATT&CKT1562T1562.008AffectedAWS CloudTrail (all versions with configurable trails); Google Cloud Logging (all versions with configurable sinks); Amazon S3 buckets used as log destinations
Impact
Confirmed DamageLoss of audit trail visibility; evasion of SIEM, SOAR, and CSPM detection systems; potential for undetected data exfiltration and extended attacker persistence
Mitigation
WorkaroundsImplement least-privilege IAM policies restricting cloudtrail:StopLogging, logging.sinks.update, s3:DeleteBucket, and s3:DeleteObject permissions; enable S3 Object Lock for immutable log storage; configure multi-account log aggregation; enable CloudTrail Lake or EventBridge for redundant log delivery; implement resource-based policies preventing unauthorized sink/trail modifications; use attacker-controlled encryption keys only with strict key access controls
Context
Similar AttacksDefense evasion via log manipulation is a known technique across cloud environments; attackers targeting logging infrastructure to establish persistence and evade detection