Partial CloudTrail logging in AWS Control Tower

Published Mon, Mar 20th, 2023


AWS Control Tower was not properly logging to CloudTrail when API calls failed due to a lack of permissions. This could have helped an adversary with existing access to a victim AWS environment avoid detection while enumerating privileges, since any unsuccessful API calls would not generate "access denied" log entries.

Affected Services

Control Tower


None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Mon, Jan 30th, 2023
Exploitablity Period
Until 2023/02/13
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Nick Frichette, Datadog