Discovery of AWS Services That Do Not Log to CloudTrail
Two CloudTrail logging vulnerabilities have been identified, involving endpoints/services that fail to log properly.
The first vulnerability was discovered upon observing an unusual endpoint in the Content-Security-Policy meta tag: https://aws242-servicecatalog-beta.us-east-1.amazonaws.com. The peculiar aws242 prefix caught researchers’ attention, and upon further interaction, they found that it was isolated from the primary commercial/production data. While this limitation initially appeared to render the vulnerability less valuable for attackers, researchers discovered that switching from the beta to the gamma endpoint removed the isolation. This enabled access to the standard data, and although errors appeared when attempting to perform mutations, the actions were still executed. Critically, this service’s usage did not show up in CloudTrail logs.
The second vulnerability was uncovered while exploring the AWS Control Tower service. Researchers noticed that the AWS Blackbeard Service did not log all failure cases, specifically failing to log insufficient privilege-related failures. This omission could enable attackers to quietly determine some of their privileges without detection.