fwd:cloudsec 2023

Evading Logging in the Cloud: Disrupting and Bypassing AWS CloudTrail
06-12, 11:10–11:50 (US/Pacific), Salon B

AWS customers rely on CloudTrail for continuous monitoring and detection of security incidents within their cloud environments. However, what if an adversary were able to circumvent this crucial security layer, enabling them to perform stealthy reconnaissance and even altering the environment without leaving a trace?

In this talk I will discuss techniques seen in the wild to disable CloudTrail logging and how security teams can respond to this. In addition, I will cover multiple vulnerabilities that allowed me to bypass CloudTrail logging. I will go in depth as to how these vulnerabilities worked, and discuss how this research could potentially be applied to future bypasses. Security practitioners will come away with an understanding of both common and cutting edge log evasion techniques in AWS.

Nick Frichette is a Senior Security Researcher at Datadog, where he specializes in AWS offensive security. He is known for finding multiple zero-day vulnerabilities in AWS services and regularly publishing on new attack techniques. In addition to his research, Nick is the creator and primary contributor to Hacking the Cloud, an open source encyclopedia of offensive security capabilities for cloud environments. He is also a part of the AWS Community Builder Program, where he develops content on AWS security.