A CHFI is analyzing suspicious activity on a company's AWS account. She suspects an unauthorized user accessed and deleted a crucial bucket object. To trace the potential perpetrator, she should primarily rely on the following:
A CHFI is analyzing suspicious activity on a company's AWS account. She suspects an unauthorized user accessed and deleted a crucial bucket object. To trace the potential perpetrator, she should primarily rely on the following:
To trace unauthorized access and actions performed within an AWS environment, AWS CloudTrail logs are the primary resource. They provide a comprehensive record of all API calls made, including details about when the calls were made, the source IP address, and the user identity involved. This makes them essential for identifying the perpetrator and understanding the sequence of events leading to the unauthorized access and deletion of the S3 bucket object.
AWS CloudTrail events can be viewed via AWS CloudTrail console which are stored in S3 buckets as log files, and delivered to Amazon CloudWatch