Unmasking the CloudTrail API Bug: How AWS Patched a Stealthy Threat to Cybersecurity

Potential cyber attackers probing AWS surroundings and API interactions might remain undetected.

Amazon Web Services (AWS) has successfully fixed a loophole bug that could have allowed hackers to evade CloudTrail API surveillance.

In an article posted on January 17, Nick Frichette, a top researcher at Datadog Security Labs, highlighted a weakness that affects the CloudTrail event logging service. This service is a vital resource for security experts who are analyzing API activities.

Keeping records of system events can be an essential tool for security personnel, as it aids in identifying dubious operations and conducting detailed investigations after a security breach.

Dive deeper into the most recent updates on web security flaws.

CloudTrail keeps an eye on and records AWS environment occurrences as well as API usage. But, the Datadog Security Research Team has found a method that could sidestep these logging systems. This would enable malicious actors to carry out exploratory activities unnoticed in the IAM service.

The group conducted experiments on two facilities, namely iam and iamadmi, which are designed to handle inquiries in the AWS Console. It was discovered by Datadog that iamadmin is actually an unrecorded API. Moreover, when prompting endpoints like ListMFADevicesForMultipleUsers – which serves as a cover for iam:ListMFADevices – no event log would be registered in CloudTrail.

The group discovered 13 AIM techniques that could be invoked, though a few produced unforeseen actions.

“Frichette noted that after experimenting with this method for some time, it was evident that it wasn’t designed to function in this way.”

The ability to circumvent CloudTrail logging and acquire the outcomes of those calls poses a significant challenge for cybersecurity professionals. This is because it restricts their capacity to monitor an attacker’s activities within a system and identify the steps they’ve executed.

Additionally, the scientist suggested that this same method could potentially circumvent Amazon’s GuardDuty, since it utilizes CloudTrail as its data source.


Taking advantage of this vulnerability, potential attackers could carry out surveillance operations. In a discussion with The Daily Swig, Frichette clarified that if the iamadmin service initiates IAM API calls, an intruder could, for instance, activate iam:ListGroupsForUser to “reveal the groups that an IAM user belongs to.”

Moreover, the “iam:ListAttachedGroupPolicies” function allows you to see what IAM policies are linked with an IAM group. This could potentially uncover groups that have special privileges. The “iam:ListMFADevices” function, on the other hand, shows whether an IAM user has a multi-factor authentication (MFA) device connected to their account, which could be beneficial when deciding on future targets.

A representative from AWS has affirmed the presence of the security flaw. However, it’s important to stress that customer-specific authentication and authorization rules were still applied to read-only APIs.

“Datadog pointed out that the hacked organization should ideally have enough authority to execute these tasks. However, with this security flaw, these tasks could be carried out entirely unnoticed.”


The investigative team brought the problem to AWS’s attention on March 10, 2022. The security squad at Amazon recognized the issue on that very day. However, the bug’s resolution required intricate internal modifications, so it took until October to implement a solution.

On the 24th of October, AWS rolled out a patch that revamped iamadmin API calls to produce events in CloudTrail similar to how the iam service does.

A representative from AWS has affirmed that the affected API methods have been rectified and there’s no need for any customer intervention.

Frichette states, “Such security weaknesses are rare.” He continues, “As far as I’m aware, there aren’t any other openly identified vulnerabilities that enabled a hacker to evade tracking for AWS API actions that usually get recorded.”

Site Footer