Bright Nexus

Published on June 11, 2026

Hackers Abuse AWS CloudTrail and Google Cloud Logging to Evade Detection and Exfiltrate Logs

Severity

High

Detail

Security researchers have identified attack techniques that target cloud logging services in Amazon Web Services (AWS) and Google Cloud Platform (GCP). The activity focuses on AWS CloudTrail and Google Cloud Logging, which are commonly used by organizations to record user actions, system changes, and access to cloud resources.

Compromised administrative access allows threat actors to blind security teams. Attackers achieve this by halting log generation, wiping storage destinations, disrupting encryption, or directly altering log files to cover their tracks. Additionally, threat actors can redirecting logs to attacker-controlled locations, allowing threat actors to continuously monitor activity within a compromised cloud environment without the victim’s knowledge.

Security monitoring tools such as SIEM, SOAR, and cloud security platforms rely heavily on accurate log data to identify suspicious activity and support incident investigations. Missing, altered, or redirected logs can significantly reduce an organization’s ability to detect threats, investigate security incidents, and respond effectively. These techniques do not rely on software vulnerabilities. The abuse of legitimate cloud management functions and excessive permissions enables attackers to interfere with logging operations after gaining access to a cloud environment.

How?

An attacker first gains access to a cloud environment through compromised credentials, excessive permissions, misconfigurations, or another initial access method. The attacker abuses cloud logging services to evade detection and reduce visibility of malicious activity. Several techniques have been observed, including disabling logging functions, deleting log storage locations, modifying encryption settings, altering log files, and redirecting logs to attacker-controlled destinations.

In AWS environments, an attacker with sufficient permissions can stop CloudTrail logging using the stop-logging API, preventing new events from being written to the associated S3 bucket. In Google Cloud environments, attackers can disable logging sinks by stopping log entries from being forwarded to their configured destinations. Log storage can also be targeted directly. Attackers with the required permissions may delete log buckets or remove stored log objects, resulting in the loss of audit records. Another technique involves replacing the encryption key protecting log data with an attacker-controlled KMS key and subsequently revoking access to that key thereby preventing organizations from writing to or accessing log data.

Attackers may also manipulate audit records through log poisoning, where log files are modified to remove evidence of malicious activity before being re-uploaded. This compromises the integrity of the audit trail and hinders forensic investigations. Moreover, threat actors may choose to redirect logs to infrastructure under their control. In AWS, this can be achieved through the create-trail or update-trail APIs by specifying an attacker-controlled storage location. In Google Cloud, similar functionality can be abused through the logging.sinks.create or logging.sinks.update APIs. Successful redirection provides attackers with continuous visibility into cloud operations, including user activity, resource changes, IAM modifications, and access to sensitive resources.

These actions can significantly impact security monitoring platforms, incident response capabilities, and forensic investigations by reducing the availability, integrity, and confidentiality of cloud audit logs.

Recommendation

Organizations should implement the following measures to reduce the risk associated with cloud logging abuse:

  • Restrict permissions related to cloud logging configuration and management to a limited number of trusted administrators.
  • Regularly review and monitor changes to logging configurations, storage destinations, and encryption settings.
  • Enable immutable or protected logging features provided by cloud service providers where available.
  • Configure alerts for logging service modifications, log destination changes, log deletion attempts, and logging suspension events.
  • Enable AWS CloudTrail Log File Integrity Validation to detect unauthorized modifications to log files.
  • Use dedicated security monitoring and cloud security posture management solutions to identify unusual administrative actions and permission abuse.
  • Conduct regular audits of cloud identities, roles, and access permissions to ensure least-privilege access is enforced.

Source

https://cybersecuritynews.com/hackers-abuse-aws-cloudtrail-and-google-cloud-logging/