https://www.youtube.com/watch?v=61C_lEQ5qNM

https://github.com/welldone-cloud/aws-summarize-account-activity

Analyzes CloudTrail data of a given AWS account and generates a summary of recently active IAM principals, API calls they made and regions that were used. The summary is written to a JSON output file and can optionally be visualized as PNG files.

TrailDiscover

An evolving repository of CloudTrail events with detailed descriptions, MITRE ATT&CK insights, real-world incidents references, other research references and security implications.

CloudTrail Logging Evasion: Where Policy Size Matters

Our findings reveal two significant gaps in how AWS handles policy size evaluation and large requests in CloudTrail logging. First, creating or updating an IAM policy exceeding 131,072 characters (including whitespace) fails validation, contradicting AWS documentation which states that whitespace does not count towards policy size limits. Second, CloudTrail logs fail to capture full request details for requests in the size range of 102,401–131,072 characters. Instead, the requestParameters field flags these requests as too large and omits their content in runtime logs entirely.

These findings expose a discrepancy between AWS’s documented behavior and the actual handling of large requests, resulting in operational challenges and blind spots for security teams monitoring CloudTrail logs. This reduced visibility into oversized or obfuscated requests could hinder organizations’ ability to detect unauthorized changes or activity.

https://www.youtube.com/watch?v=oL2JnblVzmA