Bright Nexus

Published on June 17, 2026

Attackers Exploiting Cloud Logging Platforms for Defense Evasion and Persistent Visibility

Severity
Medium 

Detail

Researchers from Unit 42 have identified increasing abuse of cloud logging platforms by threat actors seeking to evade detection and maintain visibility within compromised cloud environments. Services such as AWS CloudTrail and Google Cloud Logging, which are intended to provide comprehensive audit records of cloud activity, are being targeted to disrupt monitoring, manipulate evidence, and enable long-term reconnaissance.

According to the report, attackers are actively modifying, disabling, or redirecting logging mechanisms to reduce defender visibility while preserving access to valuable operational information.

How?

Threat actors target cloud logging infrastructure after obtaining sufficient permissions within a cloud environment. One of the simplest methods involves disabling logging altogether. In AWS environments, attackers can use the CloudTrail StopLogging API to immediately halt log delivery, while in Google Cloud they can disable logging sinks using the appropriate permissions. Attackers may also delete log storage destinations, such as AWS S3 buckets or Google Cloud logging buckets, resulting in both the interruption of ongoing logging and the loss of historical forensic data.

Another technique involves removing CloudTrail trails or Google Cloud sinks, which breaks the pathway responsible for delivering logs to storage locations. More advanced attacks focus on encryption mechanisms protecting logs. In AWS, adversaries can modify the Key Management Service (KMS) key used for log encryption and revoke access to that key, causing CloudTrail logging operations to fail because of encryption-related errors. Similar activity can occur in Google Cloud environments through the manipulation of customer-managed encryption keys (CMEK), making logs inaccessible or unreadable.

Researchers also observed log poisoning activity in which attackers modify stored log files to remove or alter evidence of malicious actions. Because logs are commonly stored in JSON format within cloud storage services, attackers with object-level permissions can download, edit, and overwrite the files. Without integrity validation mechanisms, these modifications may remain undetected.

In addition to disrupting visibility, attackers are configuring new logging routes or modifying existing configurations to redirect logs to infrastructure under their control. For example, threat actors can create a CloudTrail trail that forwards logs to an attacker-controlled S3 bucket. Similar functionality exists in Google Cloud through logging sinks configured to export logs externally.

Figure 1: Impair logging via attacker-controlled encryption key attack flow in AWS 

Impact?

These techniques can result in complete loss of visibility into cloud activity, destruction of forensic evidence, covert monitoring of victim environments, and long-term persistence. By redirecting logs to attacker-controlled locations, adversaries can passively observe API activity, identity and access management changes, and data access events without relying on traditional monitoring methods.

Researchers identified two primary objectives behind these activities which are defense evasion through the disruption or manipulation of logging systems and continuous visibility through the collection of cloud telemetry in attacker controlled environments.

Recommendation

Organizations should enforce strict access controls on cloud logging resources and carefully limit permissions associated with modifying logging trails, sinks, and storage destinations. Logging storage locations should be secured to prevent unauthorized deletion or modification.

Security teams should review cloud environments for unauthorized changes to logging configurations, including disabled trails, modified sinks, altered encryption key permissions, and unexpected log export destinations. Integrity validation mechanisms should be enabled where available to help detect unauthorized modifications to stored log data.

Conclusion

Cloud logging infrastructure has become a direct target for attackers seeking to evade detection and maintain visibility into compromised environments. By disabling logging, manipulating log data, altering encryption controls, or redirecting telemetry to attacker-controlled destinations, threat actors can significantly reduce defensive visibility while enhancing their own intelligence-gathering capabilities. Securing the integrity and availability of cloud logging services is therefore essential for effective monitoring, incident response, and forensic investigations.

Source
https://gbhackers.com/attackers-exploit-cloud-logging-platforms/
https://unit42.paloaltonetworks.com/cloud-logging-defense-evasion/