Skill

analyzing-cloud-storage-access-patterns

From asi

Detects abnormal access patterns in AWS S3, GCS, Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, Azure Storage Analytics. Identifies bulk downloads, new IPs, API spikes, exfiltration via statistical baselines and anomaly detection.

AWS

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When investigating security incidents that require analyzing cloud storage access patterns

SKILL.md

Similar Skills

analyzing-cloud-storage-access-patterns

5.9k

Detects anomalies in AWS S3, GCS, Azure Blob Storage access via CloudTrail, audit logs, Storage Analytics. Flags bulk downloads, new IPs, API spikes, exfiltration using stats and time-series detection.

3 files

cybersecurity-skills

analyzing-cloud-storage-access-patterns

Analyzes CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics to detect anomalous access in AWS S3, GCS, and Blob Storage: off-hours bulk downloads, new IPs, GetObject spikes, potential exfiltration via baselines and time series.

3 files

cybersecurity-skills-zh

detecting-aws-cloudtrail-anomalies

Detects unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized access. Useful for security incident investigations and threat hunting.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Analyzing Cloud Storage Access Patterns

When to Use

When investigating security incidents that require analyzing cloud storage access patterns

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with cloud security concepts and tools

Access to a test or lab environment for safe execution

Python 3.8+ with required dependencies installed

Appropriate authorization for any testing activities

Instructions

Install dependencies: pip install boto3 requests

Query CloudTrail for S3 Data Events using AWS CLI or boto3.

Build access baselines: hourly request volume, per-user object counts, source IP history.

Detect anomalies:

After-hours access (outside 8am-6pm local time)
Bulk downloads: >100 GetObject calls from single principal in 1 hour
New source IPs not seen in the prior 30 days
ListBucket enumeration spikes (reconnaissance indicator)

Generate prioritized findings report.

python scripts/agent.py --bucket my-sensitive-data --hours-back 24 --output s3_access_report.json

Examples

CloudTrail S3 Data Event

{"eventName": "GetObject", "requestParameters": {"bucketName": "sensitive-data", "key": "financials/q4.xlsx"}, "sourceIPAddress": "203.0.113.50", "userIdentity": {"arn": "arn:aws:iam::123456789012:user/analyst"}}