alt Hacker NewsIt depends on what kind of access we're talking about. If we're talking about AWS resource mutations, one can trust CloudTrail to accurately log those actions. CloudTrail can also log data plane events, though you have to turn it on, and it costs extra. Similarly, RDS access logging is pretty trustworthy, though functionality varies by engine.
What do you mean by “trust cloud trail”
So cloud trail shows the compromised account logging into an EC2 instance every day like normal.
Then service account credentials are used to access user data in S3.
How does cloud trail indicate the compromised credentials were used to access the customer data in S3?