AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass

AWS administrators depend on CloudTrail to monitor API activity within their accounts. By logging API usage, CloudTrail enables teams to detect suspicious activity in AWS environments, catch attacks quickly, and better understand what happened following security incidents.

The Datadog Security Research Team identified a method to bypass CloudTrail logging for specific IAM API requests via undocumented APIs. This technique would allow an adversary to perform reconnaissance activities in the IAM service after gaining a foothold in an AWS account—without leaving …

accounts administrators adversary api apis attacks aws aws cloudtrail bypass cloudtrail datadog detect environments iam incidents logging monitor quickly reconnaissance requests research security security research service team teams understand vulnerability