Skip to main content
AI/MLjmagly

cloud-forensics

AWS, Azure, and GCP forensic investigation covering audit logs, IAM review, storage access, network flows, and compute instance forensics

Stars
141
Source
jmagly/aiwg
Updated
2026-05-31
Slug
jmagly--aiwg--cloud-forensics
View on GitHubRaw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/jmagly/aiwg/HEAD/agentic/code/frameworks/forensics-complete/skills/cloud-forensics/SKILL.md -o .claude/skills/cloud-forensics.md

Drops the SKILL.md into .claude/skills/cloud-forensics.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

cloud-forensics

Investigates cloud environments for signs of compromise, data exfiltration, privilege escalation, and persistence. Parameterized by cloud provider. Adapts collection procedures to AWS CloudTrail, Azure Monitor/Activity Log, and GCP Cloud Audit Logs. Maps findings to MITRE ATT&CK Cloud techniques.

Triggers

Alternate expressions and non-obvious activations (primary phrases are matched automatically from the skill description):

  • "CloudTrail" → AWS audit log analysis
  • "Activity Log" → Azure audit log analysis
  • "Cloud Audit Logs" → GCP audit log analysis
  • "IAM review" → cloud identity forensics

Purpose

Cloud forensics requires provider-specific tooling and log sources. An AWS investigation centers on CloudTrail and GuardDuty; Azure on Activity Logs and Defender for Cloud; GCP on Cloud Audit Logs and Security Command Center. This skill selects the appropriate collection path and produces a consistent findings document regardless of provider.

Behavior

When triggered, this skill:

  1. Identify cloud provider and configure access:

    • AWS: verify aws sts get-caller-identity — record account ID, ARN, and user ID
    • Azure: verify az account show — record subscription ID, tenant ID, and principal
    • GCP: verify gcloud auth list and gcloud config get-value project
    • Prompt for provider if not determinable from environment

  2. AWS — CloudTrail audit log collection:

    • List trails: aws cloudtrail describe-trails
    • Check if logging is enabled on all trails and all regions
    • Pull recent management events: aws cloudtrail lookup-events --max-results 1000
    • Flag high-risk event names: CreateUser, AttachUserPolicy, PutRolePolicy, AssumeRole, GetSecretValue, DeleteTrail, StopLogging, PutBucketPolicy
    • Check for CloudTrail log integrity validation status

  3. AWS — IAM review:

    • List all IAM users and check for access keys older than 90 days: aws iam list-users + aws iam list-access-keys
    • List users with AdministratorAccess managed policy
    • List roles with trust policies allowing external principals or * in Principal
    • Check for recently created or modified IAM entities (within investigation window)
    • Download and analyze credential report: aws iam generate-credential-report && aws iam get-credential-report

  4. AWS — storage and data access:

    • List S3 buckets with public access settings: aws s3api get-public-access-block --bucket <name>
    • Check for buckets with server access logging disabled
    • Review recent S3 data events in CloudTrail if data event logging is enabled
    • Check Secrets Manager and SSM Parameter Store access events

  5. Azure — Activity Log collection:

    • Pull activity log for the investigation window: az monitor activity-log list --start-time <ISO8601> --end-time <ISO8601>
    • Flag high-risk operations: role assignment creation, policy assignments, key vault access, storage account key rotation, VM disk snapshots
    • Check Defender for Cloud alerts: az security alert list

  6. Azure — IAM (RBAC) review:

    • List Owner and Contributor role assignments at subscription scope: az role assignment list --include-classic-administrators
    • Flag service principals with no associated application or with expired credentials
    • Check for recently created managed identities

  7. GCP — Cloud Audit Log collection:

    • Query Admin Activity logs: gcloud logging read 'logName:"cloudaudit.googleapis.com/activity"' --limit=1000
    • Query Data Access logs if enabled
    • Flag: SetIamPolicy, CreateServiceAccountKey, ActAs, signBlob, bucket ACL changes
    • Check Security Command Center findings: gcloud scc findings list <organization_id>

  8. GCP — IAM review:

    • List project-level IAM bindings: gcloud projects get-iam-policy <project>
    • Flag roles/owner and roles/editor at project or folder scope
    • List service account keys and flag keys older than 90 days
    • Check for allUsers or allAuthenticatedUsers bindings on any resource

  9. Compute instance forensics (all providers):

    • List running instances with metadata (creation time, last started, associated IAM role/service account)
    • Flag instances with public IP addresses that have inbound rules permitting 0.0.0.0/0 on sensitive ports
    • Check for recently created disk snapshots (potential exfiltration staging)
    • Review instance serial console output or boot logs where available

  10. Network flow log review:

    • AWS: pull VPC Flow Logs for unusual outbound traffic patterns from targeted instances
    • Azure: pull NSG Flow Logs
    • GCP: pull VPC Flow Logs
    • Flag large data transfers, connections to known-bad IPs, and unusual destination ports

  11. Write findings document:

    • Save to .aiwg/forensics/findings/cloud-<provider>-forensics.md
    • Sections: identity findings, logging gaps, data access anomalies, network anomalies, persistence indicators

Usage Examples

Example 1 — AWS

aws investigation

Uses the currently configured AWS CLI profile.

Example 2 — GCP with project

gcp forensics --project my-project-id

Example 3 — Azure

azure forensics --subscription 00000000-0000-0000-0000-000000000000

Output Locations

  • Findings: .aiwg/forensics/findings/cloud-<provider>-forensics.md
  • Raw IAM report: .aiwg/forensics/evidence/cloud-<provider>-iam.json
  • Audit log export: .aiwg/forensics/evidence/cloud-<provider>-audit.json

Configuration

cloud_forensics:
  investigation_window_hours: 72
  high_risk_aws_events:
    - CreateUser
    - AttachUserPolicy
    - PutRolePolicy
    - DeleteTrail
    - StopLogging
    - GetSecretValue
  key_age_threshold_days: 90
  flag_public_instances: true

References

  • @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/research-before-decision.md — Verify provider identity and access before collection; detect available log sources
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/evidence-integrity.md — Export and hash cloud artifacts before analysis; record snapshot IDs in custody log
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/red-flag-escalation.md — Escalate when CloudTrail tampering (StopLogging, DeleteTrail) or active IAM privilege escalation is found
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/evidence-preservation/SKILL.md — Cloud evidence (snapshots, log exports) must be preserved per custody procedures
  • @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/ioc-extraction/SKILL.md — Extract IOCs (suspicious IPs, ARNs, service principal IDs) from cloud audit log findings