CloudTrail Gaps or Tampering

Description

CloudTrail records management and data events across your AWS accounts. If trails are not organization‑wide, not multi‑region, missing data event coverage (S3/Lambda/DynamoDB), or lack immutability and log validation, attackers can act with reduced detection. Adversaries also attempt to disrupt logging by calling StopLogging, deleting or updating trails, or altering S3 destinations and KMS keys.

Examples

Verify Trails and Event Selectors

aws cloudtrail describe-trails --include-shadow-trails
aws cloudtrail get-event-selectors --trail-name <trail>
aws cloudtrail get-insight-selectors --trail-name <trail>
aws cloudtrail get-trail-status --name <trail>

Check S3 Protections

aws s3api get-bucket-object-lock-configuration --bucket <trail-bucket>
aws s3api get-bucket-versioning --bucket <trail-bucket>
aws s3api get-bucket-policy --bucket <trail-bucket>

Missing org/region coverage, data/insight selectors, log file validation, versioning/Object Lock, or KMS protection indicates gaps.

Look for tampering in CloudTrail

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=StopLogging \
  --max-results 50 --region us-east-1
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=UpdateTrail

Any StopLogging, DeleteTrail, UpdateTrail, or S3/KMS policy changes tied to trail destinations are high‑signal.

Remediation

  1. Enable org‑wide, multi‑region trails
    • Create an AWS Organizations trail that applies to all accounts and regions; enable management, data (S3, Lambda, DynamoDB at minimum), and Insight events.
  2. Make logs tamper‑evident and durable
    • Enable log file validation; deliver to versioned S3 with Object Lock (Compliance mode) and lifecycle/replication to a separate account; optionally stream to CloudWatch Logs with KMS encryption.
  3. Protect the pipeline
    • Use SCPs to deny StopLogging, DeleteTrail, and UpdateTrail to non‑breakglass roles; restrict S3/KMS policies so only the CloudTrail service and logging role can write.
  4. Monitor aggressively
    • Create CloudWatch/EventBridge rules to alert on trail changes and unauthorized access to log buckets; investigate StopLogging, changes to event selectors, and KMS/S3 policy edits.