Undocumented API allows CloudTrail bypass

We discussed this vulnerability during Episode 181 on 23 January 2023

Cool, yet simple finding from the DataDog security team where calls to an undocument iamadmin service would also not appear in CloudTrail logs but could reproduce the functionality of several standard IAM service methods.

The DataDog team found the undocumented API just by scanning what APIs the cloud console was using and noted the iamadmin one as unfamiliar. Upon trying to determine if it was just calling the normal IAM service to fulfill the requests they realized the requests were not being logged at all. Its a solid finding, and one of those vulnerabilities that is a vulnerability because it defeats a large part of the entire purpose of the CloudTrail service.