AWS Logging Disabled

AWS Logging Disabled

Detection overview

Triggers

  • Disable or delete CloudTrail logging within a region where the logging is already enabled.

Possible Root Causes

  • An attacker has deleted CloudTrail logs to hide their tracks and/or has deleted the logs to prevent investigation of their historical activities.
  • An administrator has disabled CloudTrail logging as part of normal changes to the environment.

Business Impact

  • Inability to detect future attacks, investigate future or historical attacks, or audit activity within the environment.
  • Increased risk of activity that may negatively impact the business going unnoticed.

Steps to Verify

  • Review the actions being undertaken by the user after the identified activity and potential risk posed by that access in regions where logging remains (if any).
  • Review security policy to determine if the removal of logging capabilities is allowed.
  • Discuss with the user to determine if the activity is known and legitimate.
  • If the review determines there is a high risk to data or the environment, disable the credentials and perform a comprehensive investigation.
AWS Logging Disabled

Possible root causes

Malicious Detection

Benign Detection

AWS Logging Disabled

Example scenarios

AWS Logging Disabled

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

AWS Logging Disabled

Steps to investigate

AWS Logging Disabled

MITRE ATT&CK techniques covered

AWS Logging Disabled

Related detections

No items found.

FAQs