AWS CloudTrail cheat sheet

3 min readJun 22

Incident Response in AWS made easy (easier 😉)
Our cloud incident response trainings are now available!

As enthusiastic cloud incident responders we’ve had our fair share of AWS incidents. If you say incident response and AWS you say CloudTrail, it’s the most important source for your investigations. Therefore we’ve decided to develop a cheat sheet for ‘interesting’ CloudTrail events that we’ve come across during incidents. Use this information to perform faster triage and identify ‘interesting’ activity in CloudTrail logging.

Disclaimer: The AWS cheat sheet we’ve developed is an attempt to document CloudTrail events that are ‘interesting’ for incident responders or detection engineers. It is by no means a definitive guide to finding all malicious activity.

CloudTrail

CloudTrail records two types CloudTrail of events, from the official documentation:

Management events that capture control plane actions on resources, such as creating or deleting Amazon Simple Storage Service (S3) buckets.
Data events that capture data plane actions within a resource, such as reading or writing an Amazon S3 object.

The logged evenst are both calls made through the GUI and the API. An example CloudTrail event from the CloudTrail interface is shown below:

This event contains a lot more details if you open it, the format is .json.For the cheat sheet the Event name field is used to uniquely identify events.

Methodology

How did we create this magic sheet you might ask. It’s a combination of the following:

AWS Incident Response experience, based on real life incidents where we investigated incidents using CloudTrail [1][2][3][4];
Conducting several known attacks in a test environment using Stratus;
Using our collective brain power to think of scenarios and events that were missing from the previous two steps.

Tip: We love to hear from you! If you think we should add certain Event names please create an issue on the GitHub page for this cheat sheet.

Cheat Sheet

The cheat sheet consists of the different Mitre ATT&CK phases and the Event namesof interest.

AWS CloudTrail cheat sheet

CloudTrail

Methodology

Cheat Sheet

Written by Invictus Incident Response

More from Invictus Incident Response

A Defenders Guide to GraphRunner — Part I

Follow us on LinkedIn | Twitter | GitHub | Medium Want to learn how to investigate cloud incidents? Take our training!

Importing Windows Event Log files into Splunk

Our cloud incident response trainings are now available!

Automated Forensic analysis of Google Workspace

Follow us | LinkedIn | Twitter |GitHub

Responding to a Cobalt Strike attack — Part II

Follow us| LinkedIn | Twitter

Recommended from Medium

I Found A Very Profitable AI Side Hustle

And it’s perfect for beginners

How to Create a Cloud Resume with AWS: A Step-by-Step Guide

Are you ready to take your resume to the next level and leave a lasting impression on potential employers? Discover how to create a dynamic…

Lists

New_Reading_List

Natural Language Processing

3 years managing Kubernetes clusters, my 10 lessons.

Over the past three years, I’ve navigated the sometimes turbulent waters of managing Kubernetes clusters. This journey, filled with…

Dive deep on our AWS landing zone: Architecture, Decisions made, Lessons learnt — Part 1

Context in which we built our landing zone, architecture and decisions made on account structure, IAM for AWS and security services

Cloud Architect Certification — How hard is “GCP — Cloud Architect” compared to AWS-SAP & AWS-SAA?

My perspective on the difficulty of the 3 Cloud Architect Certification exams I’ve cleared so far.

Sigma: The Security Community’s Tool

Hey there fellow cyber enthusiasts! Remember our conversation about those crafty tools that will make life easier in our cybersecurity…