We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Evading Logging in the Cloud: Bypassing AWS CloudTrail
Discover the hidden loopholes in AWS CloudTrail, a fundamental security logging service, and learn how to bypass it using undocumented APIs, non-production endpoints, and other creative workarounds.
- Defenders have no way of knowing about specific behavior that evades logging in the cloud.
- Undocumented APIs have been a hot topic in AWS security research.
- Non-production endpoints can be used to bypass CloudTrail.
- Bypassing CloudTrail can be done by mutating requests, using protocol version mismatch, or using non-production endpoints.
- Event source obfuscation can also be used to evade detection.
- CloudTrail is a fundamental security logging service in AWS, but it has its limitations.
- Some APIs, such as IAM and IEM, can be used to gain access to production resources without being detected.
- The relationship between the API that you’re invoking and the event source can be used to evade detection.
- Some events may not show up in CloudTrail at all, making it difficult to detect suspicious activity.
- CloudTrail is not always a one-to-one relationship with the AWS API, which can make it difficult to detect anomalies.
- Some non-production endpoints can be used to evade detection, and some API operations may not show up in CloudTrail.
- Event bridge service, service catalog, and IVS service can be used to bypass CloudTrail.
- Protocol mutation, undocumented APIs, and non-production endpoints are potential use cases for evading CloudTrail.
- CloudTrail does not always provide a complete picture of all possible operations.
- There are many ways to bypass CloudTrail, including using uncataloged services, non-production endpoints, and protocol version mismatch.
- Mutating requests and using protocol version mismatch can be used to evade detection.