Researchers at Palo Alto Networks' Unit 42 have detailed how attackers who gain a foothold in a cloud account can quietly switch off, redirect, or tamper with the very logs defenders rely on to catch them. The techniques target Amazon Web Services CloudTrail and Google Cloud Logging, the audit systems that record almost everything that happens in a cloud environment, and they let an intruder operate with little or no trace.
Why this matters
Security tools like SIEM, SOAR and cloud posture platforms are only as good as the log data feeding them. If an attacker can blind that pipeline, alerts simply never fire, and incident responders are left investigating an audit trail that may have been edited out from under them. Because these methods abuse legitimate logging features and permissions rather than a software bug, there is no single patch to apply. The fix is configuration and access control.
How the attacks work
Unit 42 researcher Yahav Festinger groups the activity into two goals. The first is defense evasion. An attacker with the right permissions can stop logging outright (the CloudTrail StopLogging API, or disabling a Google Cloud sink), delete the storage bucket or log router that holds the records, swap in an attacker-controlled encryption key so existing logs become unreadable, or practice log poisoning, downloading stored log files, deleting the incriminating events, and re-uploading them to overwrite the originals.
The second goal is continuous visibility. Instead of running noisy discovery commands, an attacker can create a new trail or sink, or repoint an existing one, so a copy of the victim's logs streams to an account they control. That gives them a real-time view of new deployments, identity changes and sensitive data access while staying hidden, a quiet form of persistence.
What you should do
Unit 42 recommends treating logging configuration as highly privileged. Restrict who can call APIs like CloudTrail update-trail or the Google Cloud logging.sinks.update permission, and lock down the destination buckets so only the logging service can write to them. On AWS, enable CloudTrail log file integrity validation (it is on by default in the console but not via the API or CLI) to detect tampering, and remember that AWS keeps an immutable 90 day event history for management events as a fallback. On Google Cloud, lock log buckets so their retention cannot be shortened or deleted, and rely on the built-in _Required and _Default buckets, which cannot be disabled.
You can read the original Unit 42 report for the full set of techniques and detection guidance.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.