PHASE: AWS CloudTrail50% COMPLETION
MODULE 13
Hunting in AWS/Cloud
CloudTrail analysis: Finding compromised IAM keys and S3 bucket access.
AWS CloudTrail
CloudTrail logs all AWS API calls.
Look for:
- ConsoleLogin from unusual IPs
- CreateAccessKey (new IAM keys)
- GetObject on sensitive S3 buckets
- ConsoleLogin from unusual IPs
- CreateAccessKey (new IAM keys)
- GetObject on sensitive S3 buckets