DFIR-Notes
AWS Cloud Forensics
AWS Cloud Forensics
  • AWS Log Forensics
Powered by GitBook
On this page

AWS Log Forensics

AWS provides a wide range of logs to assist in forensic investigations. Each log type captures specific details about activities, resources, and configurations in your AWS environment. Here is a break

1. AWS CloudTrail

  • CloudTrail logs are JSON-formatted and contain detailed event information. Key fields include

  • Purpose: Logs API calls made in your AWS account.

  • Forensic Use Cases:

    • Tracking unauthorized access.

    • Reconstructing attack timelines.

    • Detecting privilege escalation or IAM policy changes

  • Correlate Events

    • Identify Initial Access: Look for ConsoleLogin, AssumeRole, or CreateAccessKey events.

    • Detect Privilege Escalation: Track AttachRolePolicy, PutUserPolicy, or UpdateAssumeRolePolicy.

    • Analyze Data Exfiltration: Investigate GetObject, ListBuckets, and GetBucketPolicy.

    • Monitor IAM Changes: Look for CreateUser, DeleteUser, and UpdateGroup.

if we had the log file so we can use jq tool to parse the log such as 

jq '.Records[] | select(.eventName == "ConsoleLogin" )' log.json

Last updated 6 months ago