Cloud logging services are foundational to security monitoring, but a new analysis from Palo Alto Networks Unit 42 shows they are also a high-value target for attackers who want to operate undetected inside compromised cloud environments. The research focuses on AWS CloudTrail and Google Cloud Logging, two of the most widely deployed audit and observability platforms in enterprise cloud infrastructure.

Why Logging Services Are a Target

Security tools that depend on cloud log data include SIEM platforms, SOAR systems, and cloud security posture management (CSPM) tools. By disrupting log delivery, attackers can effectively remove the visibility those tools rely on, leaving defenders without the telemetry needed to detect intrusions, investigate incidents, or satisfy compliance requirements.

Unit 42 categorizes cloud logging attacks into two broad objectives. The first is defense evasion, where an attacker modifies or destroys logging resources to execute activity without generating detectable records. The second is continuous visibility, where an attacker routes a victim’s logs to an attacker-controlled account, establishing persistent surveillance of the target environment.

How Each Service Works

In AWS, CloudTrail uses a configuration object called a trail to capture API calls and events, writing log files to a designated Amazon S3 bucket. That bucket serves as a centralized, long-term repository for audit records. CloudTrail also supports delivery to CloudTrail Lake, EventBridge, and CloudWatch Logs, though third-party integrations may not use those paths.

Google Cloud Logging relies on a resource called a sink, which functions as a log router. Sinks match log entries against defined filters and forward matching entries to a destination such as a Cloud Storage bucket or another Google Cloud service. The flexibility of sinks is a strength for defenders, but the same configuration surface can be exploited by attackers.

Five Attack Techniques

Unit 42 identifies five primary techniques adversaries use against cloud logging pipelines:

  • Stop logging: Disabling the trail or logging service directly, halting log generation at the source.
  • Delete the log storage destination: Removing the S3 bucket or Cloud Storage bucket where logs are written, destroying existing records and preventing new ones from being saved.
  • Delete the log router: Removing the sink or trail configuration so logs are no longer routed anywhere, even if the underlying service is still running.
  • Impair logging via attacker-controlled encryption key: Replacing or revoking the encryption key used to protect log data, rendering stored logs inaccessible to defenders.
  • Log poisoning: Injecting manipulated or misleading entries into the logging pipeline to obscure attacker activity or corrupt the integrity of the audit trail.

Defensive Implications

Understanding these attack paths allows security teams to implement compensating controls, such as restricting who can modify trail configurations, applying object-lock policies to log storage buckets, and alerting on sink or trail deletion events. Unit 42 notes that while the research focuses on AWS and Google Cloud, the techniques described are likely applicable to logging services across other cloud providers as well.

Organizations concerned about their exposure can review cloud logging configurations as part of a broader cloud security posture assessment, ensuring that the services meant to provide visibility cannot themselves become a means of concealment.