AWS CloudTrail Threat Hunting

// CloudTrail Overview

AWS CloudTrail records API calls made to AWS services � who made the call, from which IP, when, which service and action, and whether it succeeded or failed. CloudTrail is the primary audit log for AWS environments and the foundation for cloud threat hunting.

CloudTrail events fall into three categories: Management Events (control plane � creating/deleting resources), Data Events (S3 object-level access, Lambda invocations), and Insights Events (anomaly detection for unusual API activity). By default, only management events are enabled.

Data events are not enabled by default and incur additional cost. Without them, you cannot see S3 object reads/writes � a significant blind spot for detecting data exfiltration from S3 buckets.

// Key API Events

These are the high-value CloudTrail events for threat hunters � the ones that appear in attacker playbooks and are worth alerting on.

Authentication & Credential Abuse

Event	Service	Why It Matters
`ConsoleLogin`	signin.amazonaws.com	Console logins � check sourceIPAddress and mfaUsed fields
`GetCallerIdentity`	STS	First call attackers make to identify their access � "who am I?"
`AssumeRole`	STS	Cross-account access and privilege escalation via role chaining
`GetSessionToken`	STS	Temporary credential generation � watch for unusual source IPs

IAM Actions

Event	Why It Matters
`CreateUser`	Attacker creating a backdoor IAM user for persistence
`CreateAccessKey`	Generating new long-term credentials � high risk if done by non-admin
`AttachUserPolicy / AttachRolePolicy`	Privilege escalation � attaching AdministratorAccess to an account
`PutUserPolicy`	Inline policy addition � less visible than managed policy attachment
`UpdateLoginProfile`	Password change on another user's console login � account takeover
`DeleteTrail / StopLogging`	Defence evasion � attacker disabling CloudTrail to hide their tracks

Compute & Execution

Event	Why It Matters
`RunInstances`	EC2 instance launch � cryptomining in new regions is common
`CreateFunction / UpdateFunctionCode`	Lambda deployment � execution via serverless is hard to detect without data events
`SendCommand`	SSM Run Command on EC2 � lateral movement / code execution without SSH
`GetParameter`	SSM Parameter Store reads � attackers accessing stored secrets and credentials

// GuardDuty

Amazon GuardDuty is an AWS-native threat detection service that analyses CloudTrail, VPC Flow Logs, and DNS logs to generate findings (alerts). It uses ML and threat intelligence to identify suspicious patterns without requiring manual queries.

Finding Type	Description
`UnauthorizedAccess:IAMUser/TorIPCaller`	API call from a Tor exit node � deliberate anonymisation
`Recon:IAMUser/MaliciousIPCaller`	API recon calls (ListUsers, DescribeInstances) from known-bad IP
`PrivilegeEscalation:IAMUser/AdministrativePermissions`	User attached Admin policy to themselves
`Persistence:IAMUser/UserPermissions`	New IAM user or access key created � possible backdoor
`CryptoCurrency:EC2/BitcoinTool.B`	EC2 instance communicating with cryptocurrency mining pool
`Exfiltration:S3/ObjectRead.Unusual`	Unusual volume of S3 object reads from an IAM entity
`Impact:S3/AnomalousBehavior.Delete`	Mass S3 delete � potential ransomware or destructive attack

// IAM Enumeration Detection

After gaining initial access, attackers enumerate IAM to understand what permissions they have and what escalation paths exist. This enumeration leaves a distinctive pattern in CloudTrail.

                        # Classic IAM enumeration sequence � look for these in rapid succession from one source

                        sts:GetCallerIdentity

                        iam:GetAccountSummary

                        iam:ListUsers

                        iam:ListGroups

                        iam:ListRoles

                        iam:ListPolicies

                        iam:GetUser

                        iam:ListAttachedUserPolicies

                        iam:SimulatePrincipalPolicy

Tools like Pacu (AWS exploitation framework) and ScoutSuite automate IAM enumeration and leave these patterns in bulk. A burst of IAM read API calls from a single user ARN in a short window is a strong signal.

// Persistence Mechanisms

Mechanism	API Events	Detection
Backdoor IAM user	`CreateUser`, `CreateAccessKey`	New user created outside of IaC / Terraform workflows
Shadow admin role	`CreateRole`, `AttachRolePolicy`	Role with Admin access created, or existing role policy expanded
Lambda backdoor	`CreateFunction`, `AddPermission`	Lambda with wide permissions and public URL or unusual trigger
EC2 user-data persistence	`RunInstances`, `ModifyInstanceAttribute`	Large user-data payload; base64-encoded scripts in instance launch
SSM session persistence	`CreateActivation`	SSM activation for non-EC2 instance � attacker registering external machine

// Exfiltration Detection

Technique	API Events	Detection
S3 mass download	`GetObject` (data events)	High volume of GetObject from single IAM entity to unusual IP
S3 bucket made public	`PutBucketAcl`, `PutBucketPolicy`	ACL or policy change granting public read to bucket
Snapshot exfiltration	`ModifySnapshotAttribute`	EBS snapshot shared with external AWS account
Secrets Manager read	`GetSecretValue`	Secrets accessed from unusual IP or by unexpected IAM principal

// Athena Hunting Queries

When CloudTrail logs are stored in S3, you can query them at scale using Amazon Athena (serverless SQL). First, create a table over your CloudTrail S3 prefix.

Failed API calls (access denied)

                        SELECT useridentity.arn, eventsource, eventname, COUNT(*) as fail_count

                        FROM cloudtrail_logs

                        WHERE errorcode IN ('AccessDenied', 'UnauthorizedOperation')

                        AND eventtime > '2025-01-01'

                        GROUP BY useridentity.arn, eventsource, eventname

                        HAVING COUNT(*) > 10

                        ORDER BY fail_count DESC

Console logins without MFA

                        SELECT eventtime, useridentity.username, sourceipaddress, useragent

                        FROM cloudtrail_logs

                        WHERE eventname = 'ConsoleLogin'

                        AND additionaleventdata LIKE '%"MFAUsed":"No"%'

                        AND responseelements LIKE '%"ConsoleLogin":"Success"%'

                        ORDER BY eventtime DESC

CloudTrail logging disabled

                        SELECT eventtime, useridentity.arn, sourceipaddress

                        FROM cloudtrail_logs

                        WHERE eventname IN ('StopLogging', 'DeleteTrail', 'UpdateTrail')

                        ORDER BY eventtime DESC

New IAM users created

                        SELECT eventtime, useridentity.arn, requestparameters

                        FROM cloudtrail_logs

                        WHERE eventname IN ('CreateUser', 'CreateAccessKey')

                        AND errorcode IS NULL

                        ORDER BY eventtime DESC

Enable CloudTrail Lake for simpler SQL querying without needing to set up Athena tables manually. It provides a managed query interface directly within the CloudTrail console and retains events for up to 7 years.