AWS Log Forensics

AWS provides a wide range of logs to assist in forensic investigations. Each log type captures specific details about activities, resources, and configurations in your AWS environment. Here is a break

1. AWS CloudTrail

• CloudTrail logs are JSON-formatted and contain detailed event information. Key fields include

• Purpose: Logs API calls made in your AWS account.

• Forensic Use Cases:

  • Tracking unauthorized access.

  • Reconstructing attack timelines.

  • Detecting privilege escalation or IAM policy changes

• Correlate Events

  • Identify Initial Access: Look for ConsoleLogin, AssumeRole, or CreateAccessKey events.

  • Detect Privilege Escalation: Track AttachRolePolicy, PutUserPolicy, or UpdateAssumeRolePolicy.

  • Analyze Data Exfiltration: Investigate GetObject, ListBuckets, and GetBucketPolicy.

  • Monitor IAM Changes: Look for CreateUser, DeleteUser, and UpdateGroup.

if we had the log file so we can use jq tool to parse the log such as

jq '.Records[] | select(.eventName == "ConsoleLogin" )' log.json