Skip to content

UpdateTrail

AWS

UpdateTrail

service: AWS - CloudTrail
techniques:

Event

Modifies the configuration of an existing CloudTrail trail, such as its S3 bucket, log validation, or multi-region settings.

Security Context

  • Deleting or modifying audit logs destroys forensic evidence and prevents security teams from reconstructing the attack timeline.

Log Source

CloudTrail

Sample Event

Adversarial. Instead of the loud StopLogging (covered separately in this shard), Draco weakens the trail: turns off log-file validation (EnableLogFileValidation: false) so future tampering with delivered S3 log files won’t be detectable, and turns off multi-region (IsMultiRegionTrail: false) so trails outside us-east-1 stop being recorded. Plausible-but-quiet — defenders who only alert on StopLogging will miss this. T1685.002.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T22:00:18Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "UpdateTrail",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"name": "arn:aws:cloudtrail:us-east-1:555123456789:trail/fantasticlogs-org-trail",
"isMultiRegionTrail": false,
"enableLogFileValidation": false
},
"responseElements": {
"name": "fantasticlogs-org-trail",
"s3BucketName": "fantasticlogs-cloudtrail",
"includeGlobalServiceEvents": true,
"isMultiRegionTrail": false,
"trailARN": "arn:aws:cloudtrail:us-east-1:555123456789:trail/fantasticlogs-org-trail",
"logFileValidationEnabled": false,
"isOrganizationTrail": true
},
"requestID": "90000000-0000-4000-8000-000111010010",
"eventID": "90000000-0000-4000-8000-000111010011",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685.002 — Disable or Modify Cloud Log — An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within t...