AWS Log Forensics

AWS provides a wide range of logs to assist in forensic investigations. Each log type captures specific details about activities, resources, and configurations in your AWS environment. Here is a break

1. AWS CloudTrail

CloudTrail logs are JSON-formatted and contain detailed event information. Key fields include
Purpose: Logs API calls made in your AWS account.
Forensic Use Cases:
- Tracking unauthorized access.
- Reconstructing attack timelines.
- Detecting privilege escalation or IAM policy changes
Correlate Events
- Identify Initial Access: Look for ConsoleLogin, AssumeRole, or CreateAccessKey events.
- Detect Privilege Escalation: Track AttachRolePolicy, PutUserPolicy, or UpdateAssumeRolePolicy.
- Analyze Data Exfiltration: Investigate GetObject, ListBuckets, and GetBucketPolicy.
- Monitor IAM Changes: Look for CreateUser, DeleteUser, and UpdateGroup.

if we had the log file so we can use jq tool to parse the log such as

jq '.Records[] | select(.eventName == "ConsoleLogin" )' log.json

Last updated 5 months ago

AWS Log Forensics

1. AWS CloudTrail

CloudTrail logs are JSON-formatted and contain detailed event information. Key fields include
Purpose: Logs API calls made in your AWS account.
Forensic Use Cases:
- Tracking unauthorized access.
- Reconstructing attack timelines.
- Detecting privilege escalation or IAM policy changes
Correlate Events
- Identify Initial Access: Look for ConsoleLogin, AssumeRole, or CreateAccessKey events.
- Detect Privilege Escalation: Track AttachRolePolicy, PutUserPolicy, or UpdateAssumeRolePolicy.
- Analyze Data Exfiltration: Investigate GetObject, ListBuckets, and GetBucketPolicy.
- Monitor IAM Changes: Look for CreateUser, DeleteUser, and UpdateGroup.

if we had the log file so we can use jq tool to parse the log such as

jq '.Records[] | select(.eventName == "ConsoleLogin" )' log.json

Last updated 5 months ago