performing-cloud-forensics-with-aws-cloudtrail

Featured

Perform forensic investigation of AWS environments using CloudTrail logs to reconstruct attacker activity, identify compromised credentials, and analyze API call patterns.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing Cloud Forensics with AWS CloudTrail ## When to Use - When investigating suspected AWS account compromise - After detecting unauthorized API calls or credential exposure - During incident response involving cloud infrastructure - When analyzing S3 data exfiltration or IAM privilege escalation - For post-incident forensic timeline reconstruction ## Prerequisites - AWS account with CloudTrail enabled (management and data events) - IAM permissions for cloudtrail:LookupEvents, s3:GetObject, athena:StartQueryExecution - boto3 Python SDK installed - CloudTrail logs delivered to S3 with optional Athena table configured - AWS CLI configured with appropriate credentials ## Workflow 1. **Scope Investigation**: Identify timeframe, affected accounts, and compromised credentials. 2. **Query CloudTrail**: Use boto3 lookup_events or Athena to retrieve relevant API events. 3. **Filter by Indicators**: Search for suspicious user agents, source IPs, and event names. 4. **Reconstruct Timeline**: Build chronological sequence of attacker actions from API calls. 5. **Analyze Access Patterns**: Identify data access, IAM changes, and resource modifications. 6. **Identify Persistence**: Check for new IAM users, access keys, roles, or Lambda functions. 7. **Generate Report**: Produce forensic timeline with findings and remediation steps. ## Key Concepts | Concept | Description | |---------|-------------| | LookupEvents | CloudTrail API to query management events (last 90 days) | | ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-cloud-log-forensics-with-athena

Uses AWS Athena to query CloudTrail, VPC Flow Logs, S3 access logs, and ALB logs for forensic investigation. Covers CREATE TABLE DDL with partition projection, forensic SQL queries for detecting unauthorized access, data exfiltration, lateral movement, and privilege escalation. Use when investigating AWS security incidents or building cloud-native forensic workflows at scale.

12,642 Updated today
mukul975
AI & Automation Solid

detecting-aws-cloudtrail-anomalies

Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access.

12,642 Updated today
mukul975
AI & Automation Featured

implementing-cloud-trail-log-analysis

Implementing AWS CloudTrail log analysis for security monitoring, threat detection, and forensic investigation using Athena, CloudWatch Logs Insights, and SIEM integration to identify unauthorized access, privilege escalation, and suspicious API activity.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

performing-cloud-forensics-investigation

Conduct forensic investigations in cloud environments by collecting and analyzing logs, snapshots, and metadata from AWS, Azure, and GCP services.

12,642 Updated today
mukul975
AI & Automation Solid

analyzing-cloud-storage-access-patterns

Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.

12,642 Updated today
mukul975