Amazon Web Services (AWS) has patched a bypass bug that attackers could exploit to circumvent CloudTrail API monitoring. The vulnerability impacts the CloudTrail event logging service, which is a data source for defenders examining API activities.
While using the AWS Console, Datadog security researchers noticed several requests to a service called “iamadmin.” They discovered that the service was the undocumented API, and that no event logs were being stored in CloudTrail when this API called on endpoints.
Impact
AWS administrators depend on CloudTrail to monitor API activity within their accounts. CloudTrail logs API usage to help teams detect suspicious activity in AWS environments, catch attacks and better understand security incidents. The vulnerability enables threat actors to bypass Identity and Access Management (IAM) for Amazon CloudTrail logging systems and perform reconnaissance activities undetected in the IAM service.
DXC perspective
AWS has patched the vulnerability with a fix that updates iamadmin API calls to generate events in CloudTrail in the same way that the IAM service does. We encourage you to deploy the patch and to make sure you have a robust cyber defense program in place to guard against attacks. Additionally, CloudTrail logs before the patch may not be complete, so we encourage you to review your logs.