Triggers
- Disable or delete CloudTrail logging within a region where the logging is already enabled.
Possible Root Causes
- An attacker has deleted CloudTrail logs to hide their tracks and/or has deleted the logs to prevent investigation of their historical activities.
- An administrator has disabled CloudTrail logging as part of normal changes to the environment.
Business Impact
- Inability to detect future attacks, investigate future or historical attacks, or audit activity within the environment.
- Increased risk of activity that may negatively impact the business going unnoticed.
Steps to Verify
- Review the actions being undertaken by the user after the identified activity and potential risk posed by that access in regions where logging remains (if any).
- Review security policy to determine if the removal of logging capabilities is allowed.
- Discuss with the user to determine if the activity is known and legitimate.
- If the review determines there is a high risk to data or the environment, disable the credentials and perform a comprehensive investigation.