aws_spitzel#

Description

Heuristic CloudTrail Event History Lookup for AWS IAM Forensics

Lightweight and flexible AWS DevOps command-line tool and Python 3.9 module for security operation duties (SOC) of AWS platform services.

This program extends the native AWS CloudTrail API LookupEvents action by being able to query against CloudTrail event objects with JSONPath expressions and a barebone implementation of comparison operations for Python built-in types, and regular expressions. In addition, the UNIX filename pattern of AWS IAM policy statement actions is used for filtering events by service and action (e.g. s3:List*), instead of the CloudTrail API schema attributes. (eventName, eventSource, etc.).

This program is licensed under the “Data licence Germany – attribution – Version 2.0”. URL

Modules

aws_spitzel.cli

Run the following to get additional information on using the command-line interface:

Classes

`Action`(service_id, action_name)	AWS IAM action
`DateRange`(start, end[, format])
`DefaultAWSAPIClients`()
`Expression`(left_operand, right_operand, operator)
`Filter`(expression)
`PrioritizedQueueItem`(priority, item)
`ProgramContext`(actions, date_range[, filters])

Functions

`boto3_next_token`(callable_[, kwargs, ...])	rtype `Generator`[`Tuple`[`dict`, `str`], `None`, `None`]
`get_expression_object`(raw[, operators])	rtype `Expression`
`handle_action_lookup`(context, action, queue)	type context `ProgramContext`
`lookup_event_response`(response, context, ...)	retrieve matches of a boto3 CloudTrail API lookup through a callback
`main`(context)	param range date range to search in