Detection Engineering

CloudTrail Monitoring Patterns That Matter

The AWS CloudTrail monitoring patterns that actually catch attackers — root usage, IAM changes, logging tampering, and credential exfiltration, with detection logic.

A dark screen showing a cyan stream of cloud audit-log entries with one entry flagged red

CloudTrail monitoring fails when teams try to alert on everything and drown, or log everything and look at nothing. The patterns that matter are a short list: root account usage, IAM changes, anyone tampering with logging, and instance credentials used from outside your network. Those four catch the actions nearly every cloud attacker takes. This guide ships the high-signal CloudTrail detections and the architecture that keeps them trustworthy.

AWS CloudTrail is the audit log of API activity in your account, and it is where cloud attacks become visible — valid-account abuse (T1078.004), account manipulation (T1098), and logging tampering (T1562.008). It is also where an SSRF credential theft shows up as an instance role used from the wrong place.

What should you actually monitor in CloudTrail?

CloudTrail records every API call, which is both its power and its trap — alert on all of it and analysts tune you out. The discipline is to start from attacker behavior and monitor the actions an intruder must take: prove who they are, escalate privilege, and blind the defender. That narrows thousands of event types to a high-signal core.

This is the cloud expression of the same philosophy behind every detection on darkpwn: watch behavior that is rare-and-bad, not common-and-noisy, the way the detection engineering workflow prescribes.

Which CloudTrail patterns matter most?

PatternWhy it mattersATT&CK
Root account usageRoot should be near-never used; any use is suspectT1078.004
IAM changesNew users/keys/policies = persistence & escalationT1098
Logging tamperingStopping CloudTrail/GuardDuty blinds youT1562.008
Credential exfiltrationInstance role used outside the VPCT1552.005
Console login without MFAA single-factor login is a footholdT1078.004
Recon burstsListBuckets/GetCallerIdentity from a new principalT1580

These six catch the overwhelming majority of real cloud intrusions. Everything else is secondary — get these right before adding noise.

How to detect the patterns that matter

Two of the highest-value detections, in Splunk SPL (the logic ports directly to CloudWatch, Sentinel KQL, or any SIEM).

Root account usage

SPL Root Account Usage in CloudTrail
index=cloudtrail
| spath "userIdentity.type" output=idType
| where idType="Root"
| search NOT eventName IN ("BatchGetTraces")
| stats count, values(eventName) AS actions, values(sourceIPAddress) AS srcips by awsRegion

Root has no business making routine API calls. Any root activity outside a documented break-glass procedure is an immediate investigation.

Logging tampering

SPL CloudTrail Logging Disabled or Deleted
index=cloudtrail eventName IN ("StopLogging","DeleteTrail","UpdateTrail","DeleteDetector","UpdateDetector")
| table _time, userIdentity.arn, eventName, requestParameters.name, sourceIPAddress
| sort 0 _time

How to architect CloudTrail so detections are trustworthy

  1. Organization trail across all accounts and regions, so nothing escapes logging.
  2. Centralize to a separate security account with write-once storage the workload accounts cannot modify or delete.
  3. Enable GuardDuty org-wide for managed threat detection.
  4. Restrict who can touch trails with SCPs, and alert on any change.
  5. Validate by generating a benign version of each pattern (a test IAM change, a logged break-glass root login) and confirming the rule fires.

Common CloudTrail monitoring mistakes

  • Alerting on everything. Noise buries the six patterns that matter.
  • Logs in the compromised account. An attacker erases them.
  • Single-region trails. Attackers operate in regions you don’t watch.
  • No alert on logging changes. You miss the move that blinds you.

CloudTrail monitoring checklist

  1. Enable an organization trail across all accounts and regions.
  2. Centralize logs to a separate, write-restricted security account.
  3. Alert on root usage, IAM changes, and logging/GuardDuty tampering.
  4. Alert on instance-role credentials used outside the VPC (exfiltration).
  5. Flag console logins without MFA and API calls from unusual regions.
  6. Enable GuardDuty org-wide; alert when it is disabled.
  7. Restrict trail modification with SCPs.
  8. Validate each detection with a benign test event.

The takeaway

CloudTrail monitoring that matters is a short list of high-signal patterns — root usage, IAM changes, logging tampering, credential exfiltration — backed by centralized, tamper-proof storage and GuardDuty. Get those right before anything else. Continue with Kubernetes security events to prioritize and SSRF detection, or watch another exfiltration channel with DNS tunneling detection. Or browse the full Detection Engineering pillar.

Training & tools referenced

Disclosure: Some links below are affiliate links. If you buy through them, darkpwn may earn a commission at no extra cost to you. We only recommend training and tools we actually use in our own lab, and affiliate links never influence editorial coverage.

  • TryHackMeAuthorized labs to practice cloud security monitoring and detectionSecurity Training
    Start training

Frequently asked questions

What should you monitor in AWS CloudTrail?

Prioritize a small set of high-signal events: root account usage, IAM changes (new users, access keys, policy attachments), any tampering with CloudTrail or GuardDuty, console logins without MFA, and instance-role credentials used from outside your network. These catch the actions every cloud attacker takes.

How do attackers evade CloudTrail?

A common early move is disabling, deleting, or stopping a CloudTrail trail, or turning off GuardDuty, to blind defenders (MITRE T1562.008). The defense is to alert specifically on StopLogging, DeleteTrail, and detector changes, and to send logs to a separate, write-restricted account they cannot reach.

What is the difference between CloudTrail and GuardDuty?

CloudTrail is the audit log of API activity in your AWS account — the raw events. GuardDuty is a managed threat-detection service that analyzes CloudTrail, VPC flow, and DNS logs to surface findings. Use GuardDuty for managed detections and CloudTrail for your own custom, high-signal rules.

How do you detect compromised AWS credentials?

Watch for instance-role credentials used from an IP outside your VPC (exfiltration), API calls from unusual regions or new source networks, access key creation followed by privilege changes, and a burst of reconnaissance calls like ListBuckets or GetCallerIdentity from a new principal.

Newsletter

Liked this breakdown?

Defensive security research — detection, hardening, and hardware — delivered when there is something worth saying. No spam, unsubscribe anytime.