Anthropic-Cybersecurity-Skills/skills/performing-cloud-forensics-investigation/references/api-reference.md

API Reference: Performing Cloud Forensics Investigation

AWS CloudTrail API (boto3)

Method	Description
cloudtrail.lookup_events(StartTime, EndTime)	Query management events by time window
cloudtrail.get_trail_status(Name)	Check if trail is actively logging
cloudtrail.describe_trails()	List configured CloudTrail trails

AWS EC2 API (Forensic Snapshots)

Method	Description
ec2.describe_instances(InstanceIds)	Get instance details and EBS mappings
ec2.create_snapshot(VolumeId, Description)	Create forensic snapshot of EBS volume
ec2.copy_snapshot(SourceSnapshotId, SourceRegion)	Copy snapshot cross-region for preservation
ec2.describe_snapshots(SnapshotIds)	Check snapshot completion status

AWS IAM API

Method	Description
iam.list_access_keys(UserName)	List access keys for investigation target
iam.get_access_key_last_used(AccessKeyId)	Determine last key usage
iam.list_attached_user_policies(UserName)	List policies attached to user

AWS S3 API (Log Collection)

Method	Description
s3.list_objects_v2(Bucket, Prefix)	List CloudTrail log files in S3
s3.get_object(Bucket, Key)	Download specific log file

Key Libraries

• boto3 (pip install boto3): AWS SDK for CloudTrail, EC2, IAM, and S3 APIs
• botocore: Exception handling for AWS API errors
• json (stdlib): Parse CloudTrail event JSON payloads

Configuration

Variable	Description
AWS_PROFILE	AWS CLI profile with forensic investigation permissions
AWS_DEFAULT_REGION	Default region for API calls
CloudTrail S3 Bucket	Bucket containing CloudTrail log archives

Required IAM Permissions

Permission	Purpose
cloudtrail:LookupEvents	Query CloudTrail events
ec2:DescribeInstances	Identify volumes for snapshots
ec2:CreateSnapshot	Create forensic disk snapshots
iam:List*	Enumerate IAM configuration
s3:GetObject	Download archived CloudTrail logs

References

• AWS CloudTrail API
• AWS Incident Response Guide
• SANS Cloud Forensics