Threat Actors Exploit AWS and Google Cloud Logging to Evade Detection and Maintain Persistence
Cybercriminals are increasingly targeting Amazon Web Services (AWS) CloudTrail and Google Cloud Logging to manipulate logs, evade detection, and maintain long-term access to victim environments. These attacks exploit fundamental trust in cloud logging systems, often going unnoticed by organizations that assume logs are inherently secure.
The primary objectives of these attacks are defense evasion and continuous visibility. To evade detection, attackers disrupt or alter logging mechanisms, blinding security tools like SIEMs, SOAR, and CSPM platforms. Common techniques include:
- Stopping logging (e.g., invoking
CloudTrail stop-loggingor disabling Google Cloud sinks). - Deleting storage destinations (e.g., removing S3 buckets or Google log buckets).
- Deleting log routers (e.g., removing AWS trails or Google sinks).
These actions create immediate visibility gaps, often preceding lateral movement or data exfiltration.
More sophisticated methods impair forensic integrity without obvious disruption. Attackers may swap encryption keys (e.g., replacing AWS KMS keys or Google Cloud CMEK keys) and revoke access, rendering logs unreadable while still being written. Log poisoning is another risk adversaries can download, modify, and reupload JSON log files, corrupting audit trails and misleading investigations.
While AWS offers CloudTrail log file integrity validation and Google provides log bucket locking, these protections are not universally enabled and can be bypassed if misconfigured.
For continuous visibility, attackers create or modify log routing to send copies of logs to attacker-controlled destinations. On AWS, they can update trails to target external S3 buckets, while on Google Cloud, they can redirect sinks to external storage. This allows near real-time monitoring of privilege changes, resource creation, and data access, enabling stealthy reconnaissance and privilege escalation.
The impact varies by technique:
- High-impact, high-signal (e.g., stopping logging or log redirection) clearly indicates malicious intent.
- Low-signal, high-impact (e.g., log deletion or encryption misuse) may appear as operational errors unless closely monitored.
Defenders are advised to treat logging infrastructure as high-value assets, enforcing strict controls such as:
- Restricting API calls for
update-trail,stop-logging, andlogging.sinks.update. - Enforcing least privilege on S3 and Cloud Storage.
- Enabling CloudTrail log file integrity validation and Google log bucket locking.
- Ensuring only logging service principals can write to canonical buckets.
Detection strategies include:
- Using immutably retained, provider-managed buckets (e.g., AWS Event History, Google’s Required/Default log buckets).
- Alerting on modifications to trails, sinks, KMS/CMEK keys, or unexpected log destination updates.
- Monitoring EventBridge or Cloud Audit Logs for suspicious configuration changes.
These attacks underscore the critical need to secure cloud logging infrastructure, as control over logs equates to control over detection.
Source: https://gbhackers.com/aws-cloudtrail-and-google-cloud-exploited/
Amazon Web Services TPRM report: https://www.rankiteo.com/company/amazon-web-services
Google Cloud TPRM report: https://www.rankiteo.com/company/googlecloudsecurity
"id": "gooama1781166643",
"linkid": "googlecloudsecurity, amazon-web-services",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Organizations using AWS or Google Cloud'}],
'attack_vector': 'Cloud Logging Manipulation',
'data_breach': {'data_encryption': 'Possible via encryption key swapping or '
'misuse',
'data_exfiltration': 'Possible via log redirection to '
'attacker-controlled destinations',
'file_types_exposed': ['JSON log files'],
'sensitivity_of_data': 'High (log integrity critical for '
'security investigations)',
'type_of_data_compromised': 'Log files and audit trails'},
'description': 'Cybercriminals are increasingly targeting Amazon Web Services '
'(AWS) CloudTrail and Google Cloud Logging to manipulate logs, '
'evade detection, and maintain long-term access to victim '
'environments. These attacks exploit fundamental trust in '
'cloud logging systems, often going unnoticed by organizations '
'that assume logs are inherently secure. The primary '
'objectives are defense evasion and continuous visibility, '
'involving techniques like stopping logging, deleting storage '
'destinations, swapping encryption keys, and log poisoning.',
'impact': {'data_compromised': 'Log integrity and audit trails',
'operational_impact': 'Loss of visibility into cloud environments, '
'impaired forensic investigations',
'systems_affected': ['AWS CloudTrail',
'Google Cloud Logging',
'SIEMs',
'SOAR',
'CSPM platforms']},
'lessons_learned': 'Cloud logging infrastructure must be treated as '
'high-value assets with strict access controls and '
'monitoring. Organizations should not assume logs are '
'inherently secure and must proactively secure logging '
'mechanisms to prevent manipulation.',
'motivation': ['Defense evasion',
'Continuous visibility',
'Lateral movement',
'Data exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Implement strict access '
'controls for logging '
'infrastructure.',
'Enable integrity '
'validation and '
'immutability features.',
'Monitor for unauthorized '
'changes to logging '
'configurations.'],
'root_causes': 'Misconfigured or unprotected cloud '
'logging mechanisms, over-reliance '
'on default logging security'},
'recommendations': ['Restrict API calls for critical logging functions (e.g., '
'`update-trail`, `stop-logging`).',
'Enforce least privilege on cloud storage (e.g., S3, '
'Google Cloud Storage).',
'Enable CloudTrail log file integrity validation and '
'Google log bucket locking.',
'Use immutably retained, provider-managed log buckets.',
'Monitor for suspicious modifications to logging '
'configurations.',
'Alert on unexpected log destination updates or '
'encryption key changes.'],
'references': [{'source': 'Cybersecurity Report'}],
'response': {'containment_measures': ['Restricting API calls for '
'`update-trail`, `stop-logging`, and '
'`logging.sinks.update`',
'Enforcing least privilege on S3 and '
'Cloud Storage',
'Enabling CloudTrail log file integrity '
'validation and Google log bucket '
'locking'],
'enhanced_monitoring': 'Monitoring for suspicious configuration '
'changes in cloud logging infrastructure',
'remediation_measures': ['Using immutably retained, '
'provider-managed buckets (e.g., AWS '
'Event History, Google’s '
'Required/Default log buckets)',
'Alerting on modifications to trails, '
'sinks, KMS/CMEK keys, or unexpected '
'log destination updates',
'Monitoring EventBridge or Cloud Audit '
'Logs for suspicious configuration '
'changes']},
'threat_actor': 'Cybercriminals',
'title': 'Threat Actors Exploit AWS and Google Cloud Logging to Evade '
'Detection and Maintain Persistence',
'type': 'Cloud Security Incident',
'vulnerability_exploited': 'Misconfigured or unprotected cloud logging '
'mechanisms (AWS CloudTrail, Google Cloud Logging)'}