Triggers

  • Disable or delete CloudTrail logging within a region where the logging is already enabled.

Possible Root Causes

  • An attacker has deleted CloudTrail logs to hide their tracks and/or has deleted the logs to prevent investigation of their historical activities.
  • An administrator has disabled CloudTrail logging as part of normal changes to the environment.

Business Impact

  • Inability to detect future attacks, investigate future or historical attacks, or audit activity within the environment.
  • Increased risk of activity that may negatively impact the business going unnoticed.

Steps to Verify

  • Review the actions being undertaken by the user after the identified activity and potential risk posed by that access in regions where logging remains (if any).
  • Review security policy to determine if the removal of logging capabilities is allowed.
  • Discuss with the user to determine if the activity is known and legitimate.
  • If the review determines there is a high risk to data or the environment, disable the credentials and perform a comprehensive investigation.