Performing Cloud Forensics with AWS CloudTrail

When to Use

• When investigating suspected AWS account compromise
• After detecting unauthorized API calls or credential exposure
• During incident response involving cloud infrastructure
• When analyzing S3 data exfiltration or IAM privilege escalation
• For post-incident forensic timeline reconstruction

Prerequisites

• AWS account with CloudTrail enabled (management and data events)
• IAM permissions for cloudtrail:LookupEvents, s3:GetObject, athena:StartQueryExecution
• boto3 Python SDK installed
• CloudTrail logs delivered to S3 with optional Athena table configured
• AWS CLI configured with appropriate credentials

Workflow

1. Scope Investigation: Identify timeframe, affected accounts, and compromised credentials.
2. Query CloudTrail: Use boto3 lookup_events or Athena to retrieve relevant API events.
3. Filter by Indicators: Search for suspicious user agents, source IPs, and event names.
4. Reconstruct Timeline: Build chronological sequence of attacker actions from API calls.
5. Analyze Access Patterns: Identify data access, IAM changes, and resource modifications.
6. Identify Persistence: Check for new IAM users, access keys, roles, or Lambda functions.
7. Generate Report: Produce forensic timeline with findings and remediation steps.

Key Concepts

Tools & Systems

Output Format

Forensic Report: AWS-IR-[DATE]-[SEQ]
Account: [AWS Account ID]
Timeframe: [Start] to [End]
Compromised Credentials: [Access Key IDs]
Suspicious Events: [Count]
Source IPs: [List of attacker IPs]
Actions Taken: [API calls by attacker]
Data Accessed: [S3 objects, secrets, etc.]
Persistence Mechanisms: [New users, keys, roles]