creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 22:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/conducting-cloud-incident-response/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

65 lines
2.4 KiB
Markdown
Raw Blame History

# API Reference: Cloud Incident Response Agent
## Overview
Automates AWS cloud incident response: disables compromised access keys, attaches deny-all policies, isolates EC2 instances, captures EBS snapshots for forensics, and queries CloudTrail for attacker activity timeline.
## Dependencies
| Package | Version | Purpose |
|---------|---------|---------|
| requests | >=2.28 | HTTP API calls |
| AWS CLI | >=2.0 | AWS service interaction (subprocess) |
## CLI Usage
```bash
python agent.py --incident-id INC-2025-001 --username compromised-user \
--access-key-id AKIA... --instance-id i-0abc123 --output report.json
```
## Arguments
| Argument | Required | Description |
|----------|----------|-------------|
| `--incident-id` | Yes | Incident ticket identifier |
| `--username` | Yes | Compromised IAM username |
| `--access-key-id` | No | Access key ID to disable |
| `--instance-id` | No | EC2 instance ID to isolate |
| `--forensic-sg` | No | Forensic isolation security group ID |
| `--output` | No | Output report file path |
## Key Functions
### `aws_disable_access_key(username, access_key_id)`
Disables a compromised IAM access key by setting status to Inactive via `aws iam update-access-key`.
### `aws_attach_deny_all(username)`
Attaches the `AWSDenyAll` managed policy to block all API calls from the compromised user.
### `aws_isolate_ec2(instance_id, forensic_sg)`
Changes an EC2 instance's security groups to a forensic isolation group that denies all traffic.
### `aws_snapshot_ebs(instance_id)`
Creates forensic snapshots of all EBS volumes attached to the compromised instance.
### `aws_query_cloudtrail(username, hours_back)`
Queries CloudTrail for all API events made by the compromised identity, parsing source IP, user agent, and resources.
### `aws_list_attacker_resources(username, events)`
Filters CloudTrail events for resource creation actions (Create*, Run*, Put*, Attach*).
### `aws_check_all_regions_instances()`
Scans all AWS regions for running EC2 instances to detect crypto-mining deployments.
## AWS CLI Commands Used
| Command | Purpose |
|---------|---------|
| `aws iam update-access-key` | Disable access key |
| `aws iam attach-user-policy` | Attach deny-all policy |
| `aws ec2 modify-instance-attribute` | Change security groups |
| `aws ec2 create-snapshot` | Capture EBS volume snapshot |
| `aws cloudtrail lookup-events` | Query API audit trail |
| `aws ec2 describe-regions` | List all regions |
Reference in New Issue View Git Blame Copy Permalink