Cloud Detection & Logging
Detection That Actually Wakes Someone Up
Cloud environments change rapidly. That is why security here must move along by default and in an automated way.
In Cloud Detection & Logging, value emerges when detection is directly actionable for follow-up, not just for reporting.
This way you maintain speed in the cloud, without security depending on manual luck.
Immediate measures (15 minutes)
Why this matters
The core of Cloud Detection & Logging is risk reduction in practice. Technical context supports the choice of measures, but implementation and assurance are central.
Defense measures
Organization-Wide Trails
# AWS: Configure an organization trail with data events
aws cloudtrail create-trail \
--name org-comprehensive-trail \
--s3-bucket-name org-audit-central \
--is-organization-trail \
--is-multi-region-trail \
--enable-log-file-validation \
--include-global-service-events \
--kms-key-id arn:aws:kms:eu-west-1:111111111111:key/KEY_ID
# Add data events
aws cloudtrail put-event-selectors \
--trail-name org-comprehensive-trail \
--advanced-event-selectors '[
{
"Name": "Log all S3 data events",
"FieldSelectors": [
{"Field": "eventCategory", "Equals": ["Data"]},
{"Field": "resources.type", "Equals": ["AWS::S3::Object"]}
]
},
{
"Name": "Log all Lambda invocations",
"FieldSelectors": [
{"Field": "eventCategory", "Equals": ["Data"]},
{"Field": "resources.type", "Equals": ["AWS::Lambda::Function"]}
]
},
{
"Name": "Log all management events",
"FieldSelectors": [
{"Field": "eventCategory", "Equals": ["Management"]}
]
}
]'
# Enable insights
aws cloudtrail put-insight-selectors \
--trail-name org-comprehensive-trail \
--insight-selectors '[
{"InsightType": "ApiCallRateInsight"},
{"InsightType": "ApiErrorRateInsight"}
]'SIEM Integration
# AWS: Send CloudTrail to CloudWatch Logs for real-time alerting
aws cloudtrail update-trail \
--name org-comprehensive-trail \
--cloud-watch-logs-log-group-arn arn:aws:logs:eu-west-1:111111111111:log-group:CloudTrail:* \
--cloud-watch-logs-role-arn arn:aws:iam::111111111111:role/CloudTrail-CWL-Role
# Create metric filters for suspicious activities
# IAM user creation
aws logs put-metric-filter \
--log-group-name CloudTrail \
--filter-name IAMUserCreation \
--filter-pattern '{ $.eventName = "CreateUser" }' \
--metric-transformations \
metricName=IAMUserCreation,metricNamespace=Security,metricValue=1
# Access key creation
aws logs put-metric-filter \
--log-group-name CloudTrail \
--filter-name AccessKeyCreation \
--filter-pattern '{ $.eventName = "CreateAccessKey" }' \
--metric-transformations \
metricName=AccessKeyCreation,metricNamespace=Security,metricValue=1
# Trust policy modification
aws logs put-metric-filter \
--log-group-name CloudTrail \
--filter-name TrustPolicyChange \
--filter-pattern '{ $.eventName = "UpdateAssumeRolePolicy" }' \
--metric-transformations \
metricName=TrustPolicyChange,metricNamespace=Security,metricValue=1
# Create alarms
aws cloudwatch put-metric-alarm \
--alarm-name "IAM-User-Created" \
--metric-name IAMUserCreation \
--namespace Security \
--statistic Sum \
--period 300 \
--threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold \
--evaluation-periods 1 \
--alarm-actions arn:aws:sns:eu-west-1:111111111111:security-alertsAnomaly Detection
# Azure: KQL query for anomalous sign-in detection
# In Log Analytics / Azure Sentinel:
# Unusual sign-in locations for service principals
# SigninLogs
# | where AppDisplayName != ""
# | where ResultType == 0
# | summarize
# locations = make_set(Location),
# count = count()
# by AppDisplayName, AppId
# | where array_length(locations) > 3
# AWS: Athena query for unusual AssumeRole patterns
# Create an Athena table on the CloudTrail S3 bucket
# and query for:
# - AssumeRole from unknown source accounts
# - AssumeRole with unusually long durations
# - AssumeRole with suspicious session names
# GCP: BigQuery export of audit logs
# bq query '
# SELECT
# protopayload_auditlog.authenticationInfo.principalEmail,
# protopayload_auditlog.methodName,
# protopayload_auditlog.requestMetadata.callerIp,
# COUNT(*) as call_count
# FROM `project.dataset.cloudaudit_googleapis_com_activity_*`
# WHERE _TABLE_SUFFIX >= FORMAT_DATE("%Y%m%d", DATE_SUB(CURRENT_DATE(), INTERVAL 7 DAY))
# GROUP BY 1, 2, 3
# HAVING call_count > 100
# ORDER BY call_count DESC
# 'Complete Detection Checklist
+--------------------------------------------+----------+----------+----------+
| Detection Control | AWS | Azure | GCP |
+--------------------------------------------+----------+----------+----------+
| Multi-region/all-subscription logging | CloudTrail| Activity | Org Audit|
| | org trail| Log | Logs |
+--------------------------------------------+----------+----------+----------+
| Data plane logging | Data | Diagnostic| Data |
| | Events | Settings | Access |
+--------------------------------------------+----------+----------+----------+
| Threat detection service | GuardDuty| Defender | SCC |
| | | for Cloud| |
+--------------------------------------------+----------+----------+----------+
| IAM change alerts | CW Alarm | Sentinel | Cloud |
| | + Filter | Rule | Monitoring|
+--------------------------------------------+----------+----------+----------+
| Anomalous login detection | GuardDuty| Identity | N/A |
| | | Protection| |
+--------------------------------------------+----------+----------+----------+
| Service principal monitoring | IAM | SP Sign- | SA Key |
| | Analyzer | in Logs | Usage |
+--------------------------------------------+----------+----------+----------+
| Cross-account activity monitoring | Org trail| Lighthouse| Org |
| | | audit | Audit |
+--------------------------------------------+----------+----------+----------+
| DNS query logging | Route53 | DNS | Cloud |
| | Query Log| Analytics| DNS Log |
+--------------------------------------------+----------+----------+----------+
| Network flow logging | VPC Flow | NSG Flow | VPC Flow |
| | Logs | Logs | Logs |
+--------------------------------------------+----------+----------+----------+
| Configuration change tracking | Config | Change | Asset |
| | Rules | Tracking | Inventory|
+--------------------------------------------+----------+----------+----------+Reference table
| Technique | MITRE ATT&CK | AWS | Azure | GCP |
|---|---|---|---|---|
| Event selector manipulation | T1562.008 - Disable Cloud Logs | CloudTrail event selectors | Diagnostic settings | Audit config exemptions |
| Region-based evasion | T1562.008 - Disable Cloud Logs | Non-trailed regions | Non-monitored subscriptions | Non-audited projects |
| Non-logged API abuse | T1562.008 - Disable Cloud Logs | Data events (S3, Lambda) | Data plane without diagnostics | Data access without config |
| GuardDuty/Defender evasion | T1562.001 - Disable or Modify Tools | GuardDuty blind spots | Defender for Cloud gaps | SCC detection gaps |
| Cloud Shell as proxy | T1090 - Proxy | AWS CloudShell | Azure Cloud Shell | GCP Cloud Shell |
| Target compute usage | T1584.004 - Server | SSM Session Manager | Azure Bastion | gcloud compute ssh |
| Temporary credentials | T1550.001 - Application Access Token | STS session tokens | Managed Identity tokens | SA access tokens |
| Session name spoofing | T1036 - Masquerading | AssumeRole session name | N/A | N/A |
| User agent manipulation | T1036.005 - Match Legitimate Name | SDK/CLI user agent | REST API user agent | gcloud/API user agent |
| Rate limit awareness | T1029 - Scheduled Transfer | API throttling avoidance | ARM rate limits | Quota-aware operations |
| Log retention exploitation | T1070.009 - Clear Persistence | CloudTrail S3 retention | Activity Log 90-day limit | 400-day log retention |
| False positive generation | T1562.006 - Indicator Blocking | GuardDuty noise | Defender alert flooding | SCC finding noise |
| Trace removal | T1070 - Indicator Removal | Resource deletion | Resource deletion | Resource deletion |
| Credential reset cleanup | T1070.004 - File Deletion | Access key deletion | App credential removal | SA key deletion |
| Config restoration | T1070 - Indicator Removal | Trust policy rollback | Role assignment cleanup | IAM binding removal |
| Managed identity exploitation | T1550.001 - Application Access Token | EC2 instance profile | System/User managed identity | GCE service account |
| Service principal stealth | T1078.004 - Cloud Accounts | N/A | SP sign-in (separate log) | SA token (audit log) |
| DNS-based evasion | T1071.004 - DNS | Route53 resolver logging | Azure DNS Analytics | Cloud DNS logging |
| Data event blind spots | T1530 - Data from Cloud Storage | S3 GetObject (no data events) | Blob read (no diagnostics) | GCS read (no data access) |
The ultimate insight about cloud evasion: the best way to avoid detection is not avoiding logs -- it is generating activity that looks exactly like what is supposed to be there. In an environment with thousands of API calls per minute, the best disguise is normalcy.
Further reading in the knowledge base
These articles in the portal provide more background and practical context:
- The cloud -- someone else's computer, your responsibility
- Containers and Docker -- what it is and why you need to secure it
- Encryption -- the art of making things unreadable
- Least Privilege -- only give people what they need
You need an account to access the knowledge base. Log in or register.
Related security measures
These articles provide additional context and depth:
