1. Home
  2. Data Components
  3. Cloud Service Modification

Cloud Service Modification

Cloud service modification refers to changes made to the configuration, settings, or data of a cloud service. These modifications can include administrative changes such as enabling or disabling features, altering permissions, or deleting critical components. Monitoring these changes is critical to detect potential misconfigurations or malicious activity. Examples:

  • AWS Cloud Service Modifications: A user disables AWS CloudTrail logging (StopLogging) or deletes a CloudWatch configuration rule (DeleteConfigRule).
  • Azure Cloud Service Modifications: Changes to Azure Role-Based Access Control (RBAC) roles, such as adding a new Contributor role to a sensitive resource.
  • Google Cloud Service Modifications: Deletion of a Google Cloud Storage bucket or disabling a Google Cloud Function.
  • Office 365 Cloud Service Modifications: Altering mailbox permissions or disabling auditing in Microsoft 365.

This data component can be collected through the following measures:

Enable Cloud Audit Logging

  • AWS: Enable AWS CloudTrail for logging management events such as StopLogging or DeleteTrail.
  • Azure: Use Azure Activity Logs to monitor resource changes and access actions.
  • Google Cloud: Enable Google Cloud Audit Logs to track API calls, resource modifications, and policy changes.
  • Office 365: Use Unified Audit Logs in Microsoft Purview to track administrative actions.

Centralize Log Storage

  • Consolidate logs from all cloud providers into a SIEM or CSPM (Cloud Security Posture Management) tool.
  • Example: Use Splunk or Elastic Stack to ingest and analyze logs from AWS, Azure, and Google Cloud.

Automate Alerts for Sensitive Changes

  • Configure alerts for high-risk actions, such as disabling logging or modifying IAM roles.
  • AWS Example: Use AWS Config rules to detect and notify changes to critical services.
  • Azure Example: Set up Azure Monitor alerts for write actions on sensitive resources.

Enable Continuous Monitoring

  • Use tools like AWS Security Hub, Azure Defender, or Google Chronicle to continuously monitor cloud service modifications for anomalies.
ID: DC0069
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
AWS:CloudTrail CreateFunction
AWS:CloudTrail PutUserPolicy, PutGroupPolicy, PutRolePolicy, CreatePolicyVersion
AWS:CloudTrail Condition block updated in IAM policy (e.g., aws:SourceIp, aws:RequestedRegion)
AWS:CloudTrail UpdateAccountPasswordPolicy
AWS:CloudTrail PutIdentityPolicy
AWS:CloudTrail LeaveOrganization: API calls severing accounts from AWS Organizations
AWS:CloudTrail UpdateIdentityPolicy or DisableMFA
AWS:CloudTrail CreateTrafficMirrorSession / ModifyTrafficMirrorTarget
AWS:CloudTrail CreateFunction / UpdateFunctionConfiguration: Function creation, role assignment, or configuration change events
AWS:CloudTrail RequestServiceQuotaIncrease
AWS:CloudTrail Delete* / Stop*: DeleteAlarms, StopLogging, or DisableMonitoring API calls
AWS:CloudTrail Use of temporary credentials issued from IMDS access
azure:activity operationName: Write, Access Review, RoleAssignment
azure:activity Microsoft.Network/networkWatchers/flowLogSettings/write
azure:activity MICROSOFT.AUTHORIZATION/POLICIES/WRITE
azure:audit Tenant subscription transfers or new management group creation
azure:audit Consent to application: OAuth application consent granted to service principal
azure:policy UpdatePolicy
azure:policy DisableAuditLogs or ConditionalAccess logging changes
CloudTrail:Organizations CreateAccount: API calls creating new accounts in AWS Organizations
CloudTrail:UpdatePolicy UpdateFederationSettings or RegisterHybridConnector
gcp:audit compute.packetMirroring.insert
gcp:audit projects.updateQuota or orgPolicies.updatePolicy
gcp:config UpdateSink request modifying log export destinations
m365:unified Creation of Power Automate flow triggered by OneDrive or Exchange event
m365:unified SendMessage
m365:unified AddFlow / UpdateFlow: New automation or workflow creation events
saas:appsscript Create / Update: Deployment of scripts with event-driven triggers
saas:github Workflow triggered via pull_request_target from forked repo
saas:integration New or modified third-party application integrations with elevated permissions
saas:slack Exported file or accessed admin API

Detection Strategy

ID Name Technique Detected
DET0413 Abuse of Information Repositories for Data Collection T1213
DET0010 Behavioral Detection of Event Triggered Execution Across Platforms T1546
DET0078 Behavioral Detection of Malicious Cloud API Scripting T1059.009
DET0030 Detect Conditional Access Policy Modification in Identity and Cloud Platforms T1556.009
DET0293 Detect Hybrid Identity Authentication Process Modification T1556.007
DET0190 Detect MFA Modification or Disabling Across Platforms T1556.006
DET0104 Detect Modification of Authentication Processes Across Platforms T1556
DET0497 Detection of Impair Defenses through Disabled or Modified Tools across OS Platforms. T1562.001
DET0539 Detection Strategy for Cloud Application Integration T1671
DET0147 Detection Strategy for Cloud Service Hijacking via SaaS Abuse T1496.004
DET0289 Detection Strategy for Disable or Modify Cloud Logs T1562.008
DET0492 Detection Strategy for Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations T1578.005
DET0155 Detection Strategy for Modify Cloud Resource Hierarchy T1666
DET0314 Detection Strategy for Network Sniffing Across Platforms T1040
DET0533 Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows T1677
DET0374 Detection Strategy for Serverless Execution (T1648) T1648
DET0515 Detection Strategy for T1528 - Steal Application Access Token T1528
DET0267 Resource Hijacking Detection Strategy T1496