Full Report
AWS Admins use CloudTrail to monitor API activity within their accounts. This allows suspicious activity to be discovered quickly. So, what would happen if we could bypass this? An admin could miss a ton of malicious activity! While reviewing the network traffic, the author noticed several requests to an aws service with iamadmin in the name. This is different than the standard iamv2/api/iam API. Besides the name change, the functionality was completely different as well; the service name was AWSIdentityManagementAdminService instead of AWSIdentityManagementV20100508. The methods in this other set of APIs were similar to the regular API calls but NOT the same. For instance, ListMFADevicesForMultipleUsers vs. iam:ListMFADevices. The authors SigV4 signed the request and it worked as expected. But what didn't work? CloudTrail! Using the ListMFADevicesForMultipleUsers endpoint did not log in CloudTrail at all. They expanded this concept to many of the APIs on the same service as well. The functionality was only possible on the nonmutable functions though. This undocumented API allowed them to make calls not logged. Time to avoid detection! Overall, a pretty neat finding! With this complicated of an eco-system, small things like this are likely to slip through the cracks.
Analysis Summary
# Vulnerability: Undocumented AWS IAMAdmin Service API Calls Bypass CloudTrail Logging
## CVE Details
- CVE ID: Not explicitly assigned in the text (Zero-day vulnerability disclosed and fixed by AWS).
- CVSS Score: Not provided.
- CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) or potentially related to improper system boundary enforcement.
## Affected Systems
- Products: AWS IAM Service interactions via the documented API endpoints.
- Versions: Any AWS environment utilizing CloudTrail for logging API activity, prior to the fix applied by AWS.
- Configurations: Environments where administrators rely solely on CloudTrail to monitor IAM management plane activity.
## Vulnerability Description
The vulnerability resides in an **undocumented API endpoint** used by the AWS Management Console, identified as invoking the `AWSIdentityManagementAdminService` (referred to as `iamadmin` in network traffic) instead of the standard, documented IAM API (`AWSIdentityManagementV20100508`).
Researchers discovered that performing **non-immutable** API calls against this undocumented service (e.g., `ListMFADevicesForMultipleUsers` via the `iamadmin` endpoint) were successfully executed using standard SigV4 signing, but **no corresponding event was logged in AWS CloudTrail**. This allowed an adversary with network access to leverage these APIs for reconnaissance activities without generating audit trails, bypassing both CloudTrail monitoring and dependent security services like GuardDuty.
## Exploitation
- Status: Proof of concept (PoC) developed by the researchers to demonstrate the logging bypass. Not reported as exploited in the wild prior to disclosure.
- Complexity: Low (Once the endpoint and method names were identified via network monitoring, requests could be crafted and signed normally).
- Attack Vector: Network (Requires ability to make authenticated, signed requests to the AWS API infrastructure).
## Impact
- Confidentiality: High (Reconnaissance can occur undetected, potentially leading to the discovery of valid credentials or resource structures).
- Integrity: Low (The flaw was limited to **non-immutable** functions; destructive actions remained logged).
- Availability: Negligible (The actions themselves do not disrupt service availability).
## Remediation
### Patches
- AWS remediated the issue through internal changes that updated `iamadmin` API calls to generate events in CloudTrail, aligning their logging behavior with the standard IAM service.
- **Fix Date:** October 24, 2022. (The vulnerability is considered patched as of this date).
### Workarounds
- **Primary Mitigation:** Security teams should monitor for API calls initiated against the `AWSIdentityManagementAdminService` target prefix, even if they do not immediately correspond to known CloudTrail events.
- **Supplementary Monitoring:** Monitor for unexpected activity on IAM-related data that doesn't correlate with standard CloudTrail logs flowing from official `iamv2/api/iam` requests.
## Detection
- **Indicators of Compromise:** Lack of expected IAM read-only API calls (e.g., `List...`, `Get...`) in CloudTrail logs originating from a compromised or suspicious entity, while related administrative actions might be occurring.
- **Detection Methods and Tools:** Monitor network traffic or analyze application logs that capture outgoing AWS API calls for the unique header/target string associated with `AWSIdentityManagementAdminService` or the `/iamadmin` path. Post-patch, attempts to use these undocumented endpoints will likely generate CloudTrail entries, which can then be monitored.
## References
- Datadog Security Labs Research: hxxps://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass/