low

Partial CloudTrail logging in AWS Control Tower

Published Mon, Mar 20th, 2023

Platforms

Summary

AWS Control Tower was not properly logging to CloudTrail when API calls failed due to a lack of permissions. This could have helped an adversary with existing access to a victim AWS environment avoid detection while enumerating privileges, since any unsuccessful API calls would not generate "access denied" log entries.

Affected Services

Control Tower

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/

Contributed by https://github.com/frichetten

Entry Status

Finalized

Disclosure Date

Mon, Jan 30th, 2023

Exploitablity Period

Until 2023/02/13

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Nick Frichette, Datadog

More vulnerabilities...

medium

CloudTrail bypass for AWS Service Catalog

Due to an exposed development endpoint, it was possible to bypass CloudTrail logging for both read and write API actions for the Service Catalog service. This could have enabled adversaries to alte...

Nick Frichette, Datadog

Sun, Mar 19th, 2023

medium

Super FabriXss

Azure Service Fabric Explorer (SFX) was affected by an XSS vulnerability that could have allowed a malicious script to be reflected off a web application. After a potential victim clicked on a craf...

Lidor Ben Shitrit, Orca Sec...

Tue, Mar 14th, 2023

medium

Overprivileged CodeBuild default ECR IAM policy

For AWS CodeBuild, when using a custom container image stored in ECR and the project service role for the credentials to pull the image, the default IAM policy attached to the role to allow pulli...

Will Deane, ASX Consulting

Sat, Feb 25th, 2023

View all