Unexpected AWS API calls indicating logging evasion
Description
AlphaSOC detected modifications or disabling of AWS logging services through
actions including StopLogging, StopImport, DeleteTrail,
DeleteResourcePolicy, DeleteEventDataStore, DeleteChannel,
PutEventSelectors, PutEventConfiguration, PutInsightSelectors,
UpdateTrail, DeleteFlowLogs, PutResourcePolicy, and
StopEventDataStoreIngestion affecting CloudTrail, VPC Flow Logs, and
CloudWatch Logs. This detection identifies logging modifications performed from
unusual locations, with unfamiliar user agents, or in unexpected regions. While
administrators occasionally modify logging configurations for cost optimization
or troubleshooting, threat actors disable logging to evade detection before
conducting attacks.
Impact
Disabling or modifying AWS logging reduces visibility into account activity, limiting the ability to detect threats and investigate incidents. Without CloudTrail logs, organizations lose visibility into API activity including privilege escalation, resource modifications, and unauthorized access. Deleting VPC Flow Logs eliminates network traffic visibility, allowing lateral movement or data exfiltration. The absence of audit logs hampers incident response and forensic investigations, preventing full understanding of compromise scope.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent, or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review CloudTrail logs to identify the specific logging modification performed
(StopLogging, DeleteTrail, DeleteFlowLogs, PutEventSelectors, or
UpdateTrail). Examine the responsible IAM user or role and verify the source
IP address, ASN, and user agent to determine if the activity was authorized.
Check which logging services were affected and assess the time window during
which logging was disabled or reduced.
If unauthorized, immediately re-enable CloudTrail logging, restore VPC Flow Logs, and verify CloudWatch Logs configurations. Revoke the compromised IAM credentials and rotate access keys. Implement AWS Organizations Service Control Policies to prevent logging modifications without multi-party approval. Configure CloudWatch alarms for critical logging configuration changes.
Known False Positives
- Authorized cost optimization activities that adjust event selectors or logging scope