Back to Details

analyzing-cloud-storage-access-patterns

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Analyzing Cloud Storage Access Patterns

云存储访问模式分析

When to Use

适用场景

  • When investigating security incidents that require analyzing cloud storage access patterns
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques
  • 当需要分析云存储访问模式来调查安全事件时
  • 当为此领域构建检测规则或威胁狩猎查询时
  • 当SOC分析师需要此类分析的结构化流程时
  • 当验证相关攻击技术的安全监控覆盖范围时

Prerequisites

前置条件

  • Familiarity with cloud security concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities
  • 熟悉云安全概念和工具
  • 可访问测试或实验室环境以安全执行操作
  • 安装了所需依赖的Python 3.8+环境
  • 拥有任何测试活动的适当授权

Instructions

操作步骤

  1. Install dependencies: 
    pip install boto3 requests
  2. Query CloudTrail for S3 Data Events using AWS CLI or boto3.
  3. Build access baselines: hourly request volume, per-user object counts, source IP history.
  4. Detect anomalies:
    • After-hours access (outside 8am-6pm local time)
    • Bulk downloads: >100 GetObject calls from single principal in 1 hour
    • New source IPs not seen in the prior 30 days
    • ListBucket enumeration spikes (reconnaissance indicator)
  5. Generate prioritized findings report.
bash
python scripts/agent.py --bucket my-sensitive-data --hours-back 24 --output s3_access_report.json
  1. 安装依赖:
    pip install boto3 requests
  2. 使用AWS CLI或boto3查询CloudTrail中的S3数据事件。
  3. 构建访问基线:每小时请求量、每个用户的对象访问次数、源IP历史记录。
  4. 检测异常:
    • 非工作时间访问(本地时间早8点前或晚6点后)
    • 批量下载:单个主体在1小时内发起超过100次GetObject调用
    • 过去30天未出现过的新源IP
    • ListBucket枚举请求激增(侦察活动指标)
  5. 生成按优先级排序的检测结果报告。
bash
python scripts/agent.py --bucket my-sensitive-data --hours-back 24 --output s3_access_report.json

Examples

示例

CloudTrail S3 Data Event

CloudTrail S3数据事件

json
{"eventName": "GetObject", "requestParameters": {"bucketName": "sensitive-data", "key": "financials/q4.xlsx"},
 "sourceIPAddress": "203.0.113.50", "userIdentity": {"arn": "arn:aws:iam::123456789012:user/analyst"}}
json
{"eventName": "GetObject", "requestParameters": {"bucketName": "sensitive-data", "key": "financials/q4.xlsx"},
 "sourceIPAddress": "203.0.113.50", "userIdentity": {"arn": "arn:aws:iam::123456789012:user/analyst"}}