StopLogging
AWS
StopLogging
Event
Stops logging API activity for a CloudTrail trail, disabling audit log collection for that trail.
Security Context
- Deleting or modifying audit logs destroys forensic evidence and prevents security teams from reconstructing the attack timeline.
Log Source
CloudTrail
Sample Event
Adversarial. Draco stops the org-managed trail fantasticlogs-org-trail in us-east-1. Important detail: the StopLogging event itself is logged (CloudTrail records the API call before honoring it), so this event will appear in the trail’s last batch of records. Defenders need real-time alerting on this specific event because retroactive log review will show it but only as the very last entry. T1685.002.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T21:04:08Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "StopLogging", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "name": "arn:aws:cloudtrail:us-east-1:555123456789:trail/fantasticlogs-org-trail" }, "responseElements": null, "requestID": "90000000-0000-4000-8000-000110111010", "eventID": "90000000-0000-4000-8000-000110111011", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...