AN0891: Analytic 0891
Cloud control plane actions disabling security services (CloudTrail logging, GuardDuty, Security Hub). Detect IAM role abuse correlating with service disable events.
Analyst context for executives and security teams
This analytic matters because it focuses on cloud control plane actions that disable core security visibility services such as CloudTrail logging, GuardDuty, and Security Hub. For executives and security leaders, the business issue is not just a configuration change: disabling these services can reduce the organization’s ability to prove what happened, detect follow-on activity, support incident response, and provide audit evidence in an IaaS environment.
Executive priority
Treat this as a cloud resilience and governance priority. Leaders should ask whether security logging and threat detection services are continuously monitored for disablement, whether IAM role activity is reviewed when those disablement events occur, and whether incident response plans account for loss of cloud telemetry. This is relevant to budget and control prioritization because preventive configuration alone is not enough; the organization also needs evidence that control-plane changes are collected, correlated, alerted, and investigated quickly.
Technical view
The supplied ATT&CK analytic describes detection of cloud control plane actions that disable security services, with emphasis on correlating IAM role abuse with service disable events. SOC, cloud security, and IR teams should validate that IaaS control plane events are ingested for CloudTrail logging changes, GuardDuty disablement or suspension, Security Hub disablement, and the IAM role or principal associated with those actions. Because no official detection logic is provided, teams should build and tune local analytics around security-service disable events, privileged role usage, unusual role assumption patterns, and temporal correlation between identity activity and service state changes.
Likely telemetry
- IaaS cloud control plane audit logs
- CloudTrail configuration and logging status change events
- GuardDuty service enablement, suspension, or disablement events
- Security Hub enablement or disablement events
- IAM role assumption and role usage events
Detection direction
- Confirm that cloud control plane events are collected before, during, and after changes to logging and security services.
- Alert on disablement, suspension, or material configuration changes to CloudTrail logging, GuardDuty, and Security Hub where applicable to the IaaS environment.
- Correlate service disable events with IAM role activity, especially privileged roles, newly assumed roles, unusual source locations, or unexpected automation contexts.
- Tune for approved administrative maintenance while preserving high-severity handling for unexpected disablement of security telemetry.
- Validate coverage across accounts and regions; a common blind spot is monitoring only the primary account or region while service disablement occurs elsewhere.
Mitigation priorities
- Prioritize governance controls that restrict who can disable cloud logging and security services.
- Require strong change control and documented approval for disabling CloudTrail logging, GuardDuty, or Security Hub.
- Use least privilege for IAM roles that can alter security-service configuration.
- Maintain independent monitoring of security-service state so loss of telemetry is itself visible.
- Ensure incident response procedures include escalation when cloud security logging or detection services are disabled.
Analyst notes and limits
The object is a detection analytic for the enterprise ATT&CK domain on IaaS platforms. It names CloudTrail logging, GuardDuty, and Security Hub as example security services and highlights IAM role abuse correlation. No tactics, relationships, aliases, labels, or official detection logic were supplied, so this take focuses on defensible validation questions and telemetry requirements rather than specific rule syntax.
This assessment is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, adversary attribution, complete platform coverage beyond IaaS, or guaranteed detection. Local cloud architecture, account structure, regions, IAM design, and logging configuration are required to determine actual exposure and coverage.
Analytic 0891
Cloud control plane actions disabling security services (CloudTrail logging, GuardDuty, Security Hub). Detect IAM role abuse correlating with service disable events.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 23eddf866d51… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0891Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.