jmagly/cloud-forensics

cloud-forensics

Investigates cloud environments for signs of compromise, data exfiltration, privilege escalation, and persistence. Parameterized by cloud provider. Adapts collection procedures to AWS CloudTrail, Azure Monitor/Activity Log, and GCP Cloud Audit Logs. Maps findings to MITRE ATT&CK Cloud techniques.

Triggers

Alternate expressions and non-obvious activations (primary phrases are matched automatically from the skill description):

• "CloudTrail" → AWS audit log analysis
• "Activity Log" → Azure audit log analysis
• "Cloud Audit Logs" → GCP audit log analysis
• "IAM review" → cloud identity forensics

Purpose

Cloud forensics requires provider-specific tooling and log sources. An AWS investigation centers on CloudTrail and GuardDuty; Azure on Activity Logs and Defender for Cloud; GCP on Cloud Audit Logs and Security Command Center. This skill selects the appropriate collection path and produces a consistent findings document regardless of provider.

Behavior

When triggered, this skill:

1. Identify cloud provider and configure access:

   • AWS: verify aws sts get-caller-identity — record account ID, ARN, and user ID
   • Azure: verify az account show — record subscription ID, tenant ID, and principal
   • GCP: verify gcloud auth list and gcloud config get-value project
   • Prompt for provider if not determinable from environment

2. AWS — CloudTrail audit log collection:

   • List trails: aws cloudtrail describe-trails
   • Check if logging is enabled on all trails and all regions
   • Pull recent management events: aws cloudtrail lookup-events --max-results 1000
   • Flag high-risk event names: CreateUser, AttachUserPolicy, PutRolePolicy, AssumeRole, GetSecretValue, DeleteTrail, StopLogging, PutBucketPolicy
   • Check for CloudTrail log integrity validation status

3. AWS — IAM review:

   • List all IAM users and check for access keys older than 90 days: aws iam list-users + aws iam list-access-keys
   • List users with AdministratorAccess managed policy
   • List roles with trust policies allowing external principals or * in Principal
   • Check for recently created or modified IAM entities (within investigation window)
   • Download and analyze credential report: aws iam generate-credential-report && aws iam get-credential-report

4. AWS — storage and data access:

   • List S3 buckets with public access settings: aws s3api get-public-access-block --bucket <name>
   • Check for buckets with server access logging disabled
   • Review recent S3 data events in CloudTrail if data event logging is enabled
   • Check Secrets Manager and SSM Parameter Store access events

5. Azure — Activity Log collection:

   • Pull activity log for the investigation window: az monitor activity-log list --start-time <ISO8601> --end-time <ISO8601>
   • Flag high-risk operations: role assignment creation, policy assignments, key vault access, storage account key rotation, VM disk snapshots
   • Check Defender for Cloud alerts: az security alert list

6. Azure — IAM (RBAC) review:

   • List Owner and Contributor role assignments at subscription scope: az role assignment list --include-classic-administrators
   • Flag service principals with no associated application or with expired credentials
   • Check for recently created managed identities

7. GCP — Cloud Audit Log collection:

   • Query Admin Activity logs: gcloud logging read 'logName:"cloudaudit.googleapis.com/activity"' --limit=1000
   • Query Data Access logs if enabled
   • Flag: SetIamPolicy, CreateServiceAccountKey, ActAs, signBlob, bucket ACL changes
   • Check Security Command Center findings: gcloud scc findings list <organization_id>

8. GCP — IAM review:

   • List project-level IAM bindings: gcloud projects get-iam-policy <project>
   • Flag roles/owner and roles/editor at project or folder scope
   • List service account keys and flag keys older than 90 days
   • Check for allUsers or allAuthenticatedUsers bindings on any resource

9. Compute instance forensics (all providers):

   • List running instances with metadata (creation time, last started, associated IAM role/service account)
   • Flag instances with public IP addresses that have inbound rules permitting 0.0.0.0/0 on sensitive ports
   • Check for recently created disk snapshots (potential exfiltration staging)
   • Review instance serial console output or boot logs where available

10. Network flow log review:

    • AWS: pull VPC Flow Logs for unusual outbound traffic patterns from targeted instances
    • Azure: pull NSG Flow Logs
    • GCP: pull VPC Flow Logs
    • Flag large data transfers, connections to known-bad IPs, and unusual destination ports

11. Write findings document:

    • Save to .aiwg/forensics/findings/cloud-<provider>-forensics.md
    • Sections: identity findings, logging gaps, data access anomalies, network anomalies, persistence indicators

Usage Examples

Example 1 — AWS

aws investigation

Uses the currently configured AWS CLI profile.

Example 2 — GCP with project

gcp forensics --project my-project-id

Example 3 — Azure

azure forensics --subscription 00000000-0000-0000-0000-000000000000

Output Locations

• Findings: .aiwg/forensics/findings/cloud-<provider>-forensics.md
• Raw IAM report: .aiwg/forensics/evidence/cloud-<provider>-iam.json
• Audit log export: .aiwg/forensics/evidence/cloud-<provider>-audit.json

Configuration

cloud_forensics:
  investigation_window_hours: 72
  high_risk_aws_events:
    - CreateUser
    - AttachUserPolicy
    - PutRolePolicy
    - DeleteTrail
    - StopLogging
    - GetSecretValue
  key_age_threshold_days: 90
  flag_public_instances: true

References

• @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/research-before-decision.md — Verify provider identity and access before collection; detect available log sources
• @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/evidence-integrity.md — Export and hash cloud artifacts before analysis; record snapshot IDs in custody log
• @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/red-flag-escalation.md — Escalate when CloudTrail tampering (StopLogging, DeleteTrail) or active IAM privilege escalation is found
• @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/evidence-preservation/SKILL.md — Cloud evidence (snapshots, log exports) must be preserved per custody procedures
• @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/ioc-extraction/SKILL.md — Extract IOCs (suspicious IPs, ARNs, service principal IDs) from cloud audit log findings