creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 22:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/performing-cloud-forensics-investigation/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

64 lines
2.4 KiB
Markdown
Raw Blame History

# API Reference: Performing Cloud Forensics Investigation
## AWS CloudTrail API (boto3)
| Method | Description |
|--------|-------------|
| `cloudtrail.lookup_events(StartTime, EndTime)` | Query management events by time window |
| `cloudtrail.get_trail_status(Name)` | Check if trail is actively logging |
| `cloudtrail.describe_trails()` | List configured CloudTrail trails |
## AWS EC2 API (Forensic Snapshots)
| Method | Description |
|--------|-------------|
| `ec2.describe_instances(InstanceIds)` | Get instance details and EBS mappings |
| `ec2.create_snapshot(VolumeId, Description)` | Create forensic snapshot of EBS volume |
| `ec2.copy_snapshot(SourceSnapshotId, SourceRegion)` | Copy snapshot cross-region for preservation |
| `ec2.describe_snapshots(SnapshotIds)` | Check snapshot completion status |
## AWS IAM API
| Method | Description |
|--------|-------------|
| `iam.list_access_keys(UserName)` | List access keys for investigation target |
| `iam.get_access_key_last_used(AccessKeyId)` | Determine last key usage |
| `iam.list_attached_user_policies(UserName)` | List policies attached to user |
## AWS S3 API (Log Collection)
| Method | Description |
|--------|-------------|
| `s3.list_objects_v2(Bucket, Prefix)` | List CloudTrail log files in S3 |
| `s3.get_object(Bucket, Key)` | Download specific log file |
## Key Libraries
- **boto3** (`pip install boto3`): AWS SDK for CloudTrail, EC2, IAM, and S3 APIs
- **botocore**: Exception handling for AWS API errors
- **json** (stdlib): Parse CloudTrail event JSON payloads
## Configuration
| Variable | Description |
|----------|-------------|
| `AWS_PROFILE` | AWS CLI profile with forensic investigation permissions |
| `AWS_DEFAULT_REGION` | Default region for API calls |
| CloudTrail S3 Bucket | Bucket containing CloudTrail log archives |
## Required IAM Permissions
| Permission | Purpose |
|------------|---------|
| `cloudtrail:LookupEvents` | Query CloudTrail events |
| `ec2:DescribeInstances` | Identify volumes for snapshots |
| `ec2:CreateSnapshot` | Create forensic disk snapshots |
| `iam:List*` | Enumerate IAM configuration |
| `s3:GetObject` | Download archived CloudTrail logs |
## References
- [AWS CloudTrail API](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/)
- [AWS Incident Response Guide](https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/)
- [SANS Cloud Forensics](https://www.sans.org/white-papers/cloud-forensics/)
Reference in New Issue View Git Blame Copy Permalink