Nick FrichetteNew cloud security research! We found a method to bypass CloudTrail logging for specific IAM actions via an undocumented API service! Attackers could perform some reconnaissance activities while being undetected. https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass/
As a security researcher, I think one of the most interesting areas of cloud sec research is in defense evasion. Because CSP customers are reliant on built in logging methods (such as CloudTrail) to determine what occurred during an intrusion.
Most threat actors take the noisy approach of brute forcing to enumerate permissions and resources in the environment. We saw this just recently in an excellent article from @expel https://expel.com/blog/incident-report-stolen-aws-access-keys/
But if an adversary could do that enumeration/reconnaissance without logging to CloudTrail, they could be completely invisible to the customer. I explored this a bit in some previous research: https://frichetten.com/blog/aws-api-enum-vuln/
What is unique about this finding however, is that it returns results. Allowing an attacker to perform specific IAM actions and get results without logging to CloudTrail! https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass/