https://www.youtube.com/watch?v=61C_lEQ5qNM
https://github.com/welldone-cloud/aws-summarize-account-activity
Analyzes CloudTrail data of a given AWS account and generates a summary of recently active IAM principals, API calls they made and regions that were used. The summary is written to a JSON output file and can optionally be visualized as PNG files.
An evolving repository of CloudTrail events with detailed descriptions, MITRE ATT&CK insights, real-world incidents references, other research references and security implications.
CloudTrail Logging Evasion: Where Policy Size Matters
Our findings reveal two significant gaps in how AWS handles policy size
evaluation and large requests in CloudTrail logging. First, creating or
updating an IAM policy exceeding 131,072 characters
(including whitespace) fails validation, contradicting AWS documentation
which states that whitespace does not count towards policy size limits.
Second, CloudTrail logs fail to capture full request details for requests in the size range of 102,401–131,072 characters. Instead, the requestParameters
field flags these requests as too large and omits their content in runtime logs entirely.
These findings expose a discrepancy between AWS’s documented behavior and the actual handling of large requests, resulting in operational challenges and blind spots for security teams monitoring CloudTrail logs. This reduced visibility into oversized or obfuscated requests could hinder organizations’ ability to detect unauthorized changes or activity.