Let’s talk about the first thing sophisticated attackers go after: your audit trail. If they can blind you, they own you. CloudTrail is that trail in AWS, and most organizations are still leaving massive gaps.
The problem is simple: many only enable CloudTrail in their primary region. Attackers know this. They’ll spin up resources in an unmonitored region – think crypto mining, data staging, or a new C2 server – and you’ll never see it happen. It’s a fundamental blind spot.
You need CloudTrail logging API calls in all regions, not just the ones you think you’re using. Crucially, enable log file validation. This prevents attackers from tampering with the logs themselves, which is their next move after disabling the trail.
The fix isn’t complicated. Configure a multi-region trail via the AWS Console or CloudFormation. Ensure it’s configured for all regions, and log file validation is enabled. This is a non-negotiable baseline.
Stop leaving your back door open. Enable CloudTrail everywhere.
The fix
# Check CloudTrail status\naws cloudtrail describe-trails --query 'trailList[].{Name:Name,Multi:IsMultiRegionTrail,Logging:HasCustomEventSelectors}'\n# Create multi-region trail\naws cloudtrail\
Reference: CIS AWS Foundations Benchmark 3.1