We just publicly disclosed this vulnerability in AWS Service Catalog. By abusing a dev endpoint you could bypass CloudTrail logging for both read AND write actions in Service Catalog.
Disclosure Timeline
January 30, 2023: Datadog reports both issues to AWS.
January 30, 2023: AWS responds that they received the report.
February 7, 2023: AWS confirms that a fix is in development.
February 7, 2023: AWS deploys fix to Service Catalog.
March 20, 2023: Datadog releases public disclosure.
We just publicly disclosed this vulnerability in AWS Service Catalog. By abusing a dev endpoint you could bypass CloudTrail logging for both read AND write actions in Service Catalog.
Disclosure Timeline
January 30, 2023: Datadog reports both issues to AWS. January 30, 2023: AWS responds that they received the report. February 7, 2023: AWS confirms that a fix is in development. February 7, 2023: AWS deploys fix to Service Catalog. March 20, 2023: Datadog releases public disclosure.