analyzing-cloud-storage-access-patterns

Solid

Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
76
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing Cloud Storage Access Patterns ## When to Use - When investigating security incidents that require analyzing cloud storage access patterns - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Familiarity with cloud security concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions 1. Install dependencies: `pip install boto3 requests` 2. Query CloudTrail for S3 Data Events using AWS CLI or boto3. 3. Build access baselines: hourly request volume, per-user object counts, source IP history. 4. Detect anomalies: - After-hours access (outside 8am-6pm local time) - Bulk downloads: >100 GetObject calls from single principal in 1 hour - New source IPs not seen in the prior 30 days - ListBucket enumeration spikes (reconnaissance indicator) 5. Generate prioritized findings report. ```bash python scripts/agent.py --bucket my-sensitive-data --hours-back 24 --output s3_access_report.json ``` ## Examples ### CloudTrail S3 Data Event ```json {"eventName": "GetObject", "requestParameters": {"bucketName": "sensitive-data", "key": "financials/q4.xlsx"}, "sourceIPAddress": "203.0.113.50", "userIdentity": {"arn": "arn:aws:iam::123456789012:us...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

AWS · Cloud Azure · Cloud

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

detecting-aws-cloudtrail-anomalies

Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-s3-data-exfiltration-attempts

Detecting data exfiltration attempts from AWS S3 buckets by analyzing CloudTrail S3 data events, VPC Flow Logs, GuardDuty findings, Amazon Macie alerts, and S3 access patterns to identify unauthorized bulk downloads and cross-account data transfers.

12,642 Updated today
mukul975
AI & Automation Featured

performing-cloud-forensics-with-aws-cloudtrail

Perform forensic investigation of AWS environments using CloudTrail logs to reconstruct attacker activity, identify compromised credentials, and analyze API call patterns.

12,642 Updated today
mukul975
AI & Automation Featured

implementing-cloud-trail-log-analysis

Implementing AWS CloudTrail log analysis for security monitoring, threat detection, and forensic investigation using Athena, CloudWatch Logs Insights, and SIEM integration to identify unauthorized access, privilege escalation, and suspicious API activity.

12,642 Updated today
mukul975
AI & Automation Featured

auditing-aws-s3-bucket-permissions

Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs, misconfigured bucket policies, and missing encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege data access controls.

12,642 Updated today
mukul975