An attacker can stop a CloudTrail trail from logging to hide their activities.
CloudTrail is the AWS service that allows you to log all actions taken in your cloud environment. When an attacker disables CloudTrail, you lose visibility and accountability on attacker activities. This increases the time to detection and makes incident response and forensics more challenging.
When an attacker stops a CloudTrail trail from logging, control plane activity on the AWS API are no longer logged and are lost forever.
You can identify when a CloudTrail trail is stopped using CloudTrail's
GuardDuty also has a dedicated finding: IAMUser/CloudTrailLoggingDisabled.
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate aws.defense-evasion.cloudtrail-stop
See also the related documentation.
How Datadog can help
Datadog Cloud SIEM detects this attack using the out-of-the-box rule "AWS CloudTrail configuration modified".
Stratus Red Team - Stop CloudTrail Trail
GuardDuty finding "AWS CloudTrail logging was disabled"