Performing Cloud Forensics with AWS CloudTrail

When to Use

When investigating suspected AWS account compromise
After detecting unauthorized API calls or credential exposure
During incident response involving cloud infrastructure
When analyzing S3 data exfiltration or IAM privilege escalation
For post-incident forensic timeline reconstruction

Prerequisites

AWS account with CloudTrail enabled (management and data events)
IAM permissions for cloudtrail:LookupEvents, s3:GetObject, athena:StartQueryExecution
boto3 Python SDK installed
CloudTrail logs delivered to S3 with optional Athena table configured
AWS CLI configured with appropriate credentials

Workflow

Scope Investigation: Identify timeframe, affected accounts, and compromised credentials.
Query CloudTrail: Use boto3 lookup_events or Athena to retrieve relevant API events.
Filter by Indicators: Search for suspicious user agents, source IPs, and event names.
Reconstruct Timeline: Build chronological sequence of attacker actions from API calls.
Analyze Access Patterns: Identify data access, IAM changes, and resource modifications.
Identify Persistence: Check for new IAM users, access keys, roles, or Lambda functions.
Generate Report: Produce forensic timeline with findings and remediation steps.

Key Concepts

Concept	Description
LookupEvents	CloudTrail API to query management events (last 90 days)
Athena Queries	SQL queries against CloudTrail logs in S3 for historical analysis
User Agent Analysis	Identify tool signatures (AWS CLI, SDK, console, custom)
AccessKeyId	Track activity by specific IAM access key
EventName	AWS API action name (e.g., GetObject, CreateUser, AssumeRole)
sourceIPAddress	Origin IP of API call for geolocation analysis

Tools & Systems

Tool	Purpose
boto3 CloudTrail client	Programmatic CloudTrail event lookup
AWS Athena	SQL-based analysis of CloudTrail S3 logs
AWS CLI	Command-line CloudTrail queries
jq	JSON processing for CloudTrail event parsing
CloudTrail Lake	Advanced event data store with SQL query support

Output Format

Forensic Report: AWS-IR-[DATE]-[SEQ]
Account: [AWS Account ID]
Timeframe: [Start] to [End]
Compromised Credentials: [Access Key IDs]
Suspicious Events: [Count]
Source IPs: [List of attacker IPs]
Actions Taken: [API calls by attacker]
Data Accessed: [S3 objects, secrets, etc.]
Persistence Mechanisms: [New users, keys, roles]

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.1 (Logical Access), CC6.6 (System Boundaries), CC7.1 (Monitoring)
ISO 27001: A.8.1 (Asset Management), A.13.1 (Network Security), A.14.1 (System Acquisition)
NIST 800-53: AC-3 (Access Enforcement), SC-7 (Boundary Protection), CM-7 (Least Functionality)
NIST CSF: PR.AC (Access Control), PR.DS (Data Security), DE.CM (Continuous Monitoring)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add performing-cloud-forensics-with-aws-cloudtrail

# Or load dynamically via MCP
grc.load_skill("performing-cloud-forensics-with-aws-cloudtrail")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Performing Cloud Forensics with AWS CloudTrail

When to Use

When investigating suspected AWS account compromise
After detecting unauthorized API calls or credential exposure
During incident response involving cloud infrastructure
When analyzing S3 data exfiltration or IAM privilege escalation
For post-incident forensic timeline reconstruction

Prerequisites

AWS account with CloudTrail enabled (management and data events)
IAM permissions for cloudtrail:LookupEvents, s3:GetObject, athena:StartQueryExecution
boto3 Python SDK installed
CloudTrail logs delivered to S3 with optional Athena table configured
AWS CLI configured with appropriate credentials

Workflow

Scope Investigation: Identify timeframe, affected accounts, and compromised credentials.
Query CloudTrail: Use boto3 lookup_events or Athena to retrieve relevant API events.
Filter by Indicators: Search for suspicious user agents, source IPs, and event names.
Reconstruct Timeline: Build chronological sequence of attacker actions from API calls.
Analyze Access Patterns: Identify data access, IAM changes, and resource modifications.
Identify Persistence: Check for new IAM users, access keys, roles, or Lambda functions.
Generate Report: Produce forensic timeline with findings and remediation steps.

Key Concepts

Concept	Description
LookupEvents	CloudTrail API to query management events (last 90 days)
Athena Queries	SQL queries against CloudTrail logs in S3 for historical analysis
User Agent Analysis	Identify tool signatures (AWS CLI, SDK, console, custom)
AccessKeyId	Track activity by specific IAM access key
EventName	AWS API action name (e.g., GetObject, CreateUser, AssumeRole)
sourceIPAddress	Origin IP of API call for geolocation analysis

Tools & Systems

Tool	Purpose
boto3 CloudTrail client	Programmatic CloudTrail event lookup
AWS Athena	SQL-based analysis of CloudTrail S3 logs
AWS CLI	Command-line CloudTrail queries
jq	JSON processing for CloudTrail event parsing
CloudTrail Lake	Advanced event data store with SQL query support

Output Format

Forensic Report: AWS-IR-[DATE]-[SEQ]
Account: [AWS Account ID]
Timeframe: [Start] to [End]
Compromised Credentials: [Access Key IDs]
Suspicious Events: [Count]
Source IPs: [List of attacker IPs]
Actions Taken: [API calls by attacker]
Data Accessed: [S3 objects, secrets, etc.]
Persistence Mechanisms: [New users, keys, roles]

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.1 (Logical Access), CC6.6 (System Boundaries), CC7.1 (Monitoring)
ISO 27001: A.8.1 (Asset Management), A.13.1 (Network Security), A.14.1 (System Acquisition)
NIST 800-53: AC-3 (Access Enforcement), SC-7 (Boundary Protection), CM-7 (Least Functionality)
NIST CSF: PR.AC (Access Control), PR.DS (Data Security), DE.CM (Continuous Monitoring)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add performing-cloud-forensics-with-aws-cloudtrail

# Or load dynamically via MCP
grc.load_skill("performing-cloud-forensics-with-aws-cloudtrail")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

Performing Cloud Forensics with AWS CloudTrail

When to Use

Prerequisites

Workflow

Key Concepts

Tools & Systems

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Detecting AWS Cloudtrail Anomalies

Implementing Cloud Trail Log Analysis

Auditing AWS S3 Bucket Permissions

Detecting S3 Data Exfiltration Attempts

Detecting AWS Credential Exposure with Trufflehog

Detecting AWS Guardduty Findings Automation

Prerequisites

Performing Cloud Forensics with AWS CloudTrail

When to Use

Prerequisites

Workflow

Key Concepts

Tools & Systems

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Detecting AWS Cloudtrail Anomalies

Implementing Cloud Trail Log Analysis

Auditing AWS S3 Bucket Permissions

Detecting S3 Data Exfiltration Attempts

Detecting AWS Credential Exposure with Trufflehog

Detecting AWS Guardduty Findings Automation