CloudTrail and VPC Endpoints Loggingยถ
Today I learnt that AWS CloudTrail does not log requests that are denied by VPC endpoint policy. The reason for this is that it would allow an attacker to exfiltrate data via CloudTrail and the VPC endpoint outside of the VPC! (For example by sending lots of requests with data you want to extract in the request fields)
Some extracts from the docs:
Logging your VPC endpoint AWS CloudTrail logs all operations that use the VPC endpoint. When a request to AWS KMS uses a VPC endpoint, the VPC endpoint ID appears in the AWS CloudTrail log entry that records the request. You can use the endpoint ID to audit the use of your AWS KMS VPC endpoint.
However, your CloudTrail logs donโt include operations requested by principals in other accounts or requests for AWS KMS operations on KMS keys and aliases in other accounts. Also, to protect your VPC, requests that are denied by a VPC endpoint policy, but otherwise would have been allowed, are not recorded in AWS CloudTrail.
Other Events that are not logged in CloudTrailยถ
iam:PassRoleHas not event in CloudTrailData events do not appear in the CloudTrail Console and can only be observed from the Bucket or Loggroup
Cloudawtch:PutMetricDatas3:GeneratePresignedUrl
Comments
comments powered by Disqus