Threat actors are increasingly targeting cloud logging services to evade detection and maintain persistent visibility into compromised environments, according to recent research by Palo Alto Networks Unit 42.
These services, designed as a critical security layer, are now being weaponized to create blind spots in cloud infrastructure.
Cloud logging platforms such as AWS CloudTrail and Google Cloud Logging serve as the primary source of truth for tracking activity across cloud environments.
Security teams rely heavily on these logs to power SIEM, SOAR, and CSPM tools. However, attackers who gain sufficient permissions can manipulate these systems to disrupt visibility or even exfiltrate logs for their own monitoring.
Researchers categorize these attacks into two primary tactics: defense evasion and continuous visibility. In defense evasion scenarios, attackers focus on disabling or tampering with logging mechanisms to avoid detection.
One of the most straightforward techniques involves stopping log collection entirely. In AWS, adversaries with CloudTrail: StopLogging permissions can halt logging via API calls, instantly blinding monitoring systems.
Similarly, in Google Cloud, attackers can disable logging sinks using logging. sinks.Update permissions.
Another common technique is deleting log storage destinations. For example, attackers with s3:DeleteBucket permissions can remove CloudTrail log buckets, erasing forensic evidence.
In Google Cloud, log buckets can also be deleted, but they enter a delayed-deletion state, providing a limited recovery window.
More advanced attackers may impair logging by manipulating encryption keys. By replacing legitimate AWS KMS keys with attacker-controlled keys and then revoking access, logs become unreadable or fail to be written entirely.
A similar attack is possible in Google Cloud using customer-managed encryption keys (CMEK), effectively locking defenders out of their own logs.
Hackers Abuse Cloud Logging Services
Log poisoning is another stealthy technique. Attackers with object-level access can download, modify, and re-upload log files stored in services like Amazon S3, compromising data integrity and misleading incident response teams.
Beyond evasion, attackers are also leveraging logging systems for continuous visibility. Instead of triggering alerts with active reconnaissance, adversaries can configure new log routing mechanisms to send copies of logs to attacker-controlled environments.
In AWS, this involves creating new CloudTrail trails pointing to external S3 buckets, while in Google Cloud, attackers abuse logging sinks to redirect logs.
Log redirection is particularly dangerous, as it silently streams real-time activity data, including IAM changes, VM deployments, and data access events, to threat actors.
This enables long-term surveillance and strategic lateral movement without raising immediate alarms. The impact of these techniques ranges from loss of visibility to covert persistence and data exfiltration, Palo Alto Networks Unit 42 said.
For example, stopping logging results in total monitoring failure, while log redirection enables attackers to maintain ongoing insight into victim environments.
To mitigate these risks, organizations must enforce strict access controls on logging resources. Critical permissions such as update-trail, logging.sinks.update, and storage modifications should be restricted to highly privileged roles.
Enabling integrity validation features, such as AWS CloudTrail log file validation, can help detect tampering.
Cloud providers also offer built-in safeguards. AWS maintains a 90-day immutable event history for management actions, while Google Cloud provides system-created log buckets that cannot be altered or deleted. However, these protections may not cover all logging scenarios, particularly in custom configurations.
Organizations must treat log pipelines as critical assets and implement layered defenses to ensure visibility is not compromised during an attack.
CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine” – Book Your Spot Here
