mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
2.4 KiB
API Reference: Cloud Incident Response Agent
Overview
Automates AWS cloud incident response: disables compromised access keys, attaches deny-all policies, isolates EC2 instances, captures EBS snapshots for forensics, and queries CloudTrail for attacker activity timeline.
Dependencies
| Package | Version | Purpose |
|---|---|---|
| requests | >=2.28 | HTTP API calls |
| AWS CLI | >=2.0 | AWS service interaction (subprocess) |
CLI Usage
python agent.py --incident-id INC-2025-001 --username compromised-user \
--access-key-id AKIA... --instance-id i-0abc123 --output report.json
Arguments
| Argument | Required | Description |
|---|---|---|
--incident-id |
Yes | Incident ticket identifier |
--username |
Yes | Compromised IAM username |
--access-key-id |
No | Access key ID to disable |
--instance-id |
No | EC2 instance ID to isolate |
--forensic-sg |
No | Forensic isolation security group ID |
--output |
No | Output report file path |
Key Functions
aws_disable_access_key(username, access_key_id)
Disables a compromised IAM access key by setting status to Inactive via aws iam update-access-key.
aws_attach_deny_all(username)
Attaches the AWSDenyAll managed policy to block all API calls from the compromised user.
aws_isolate_ec2(instance_id, forensic_sg)
Changes an EC2 instance's security groups to a forensic isolation group that denies all traffic.
aws_snapshot_ebs(instance_id)
Creates forensic snapshots of all EBS volumes attached to the compromised instance.
aws_query_cloudtrail(username, hours_back)
Queries CloudTrail for all API events made by the compromised identity, parsing source IP, user agent, and resources.
aws_list_attacker_resources(username, events)
Filters CloudTrail events for resource creation actions (Create*, Run*, Put*, Attach*).
aws_check_all_regions_instances()
Scans all AWS regions for running EC2 instances to detect crypto-mining deployments.
AWS CLI Commands Used
| Command | Purpose |
|---|---|
aws iam update-access-key |
Disable access key |
aws iam attach-user-policy |
Attach deny-all policy |
aws ec2 modify-instance-attribute |
Change security groups |
aws ec2 create-snapshot |
Capture EBS volume snapshot |
aws cloudtrail lookup-events |
Query API audit trail |
aws ec2 describe-regions |
List all regions |