SkillHub
SkillHubagent skills marketplace
Menu
All SkillsStacksKOLHotRankings
Sign inGet Pro
Back to skills
SkillHub ClubShip Full StackFull Stack

aws-cloudtrail-threat-detector

Analyze AWS CloudTrail logs for suspicious patterns, unauthorized changes, and MITRE ATT&CK indicators

Packaged view

This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.

Stars
3,127
Hot score
99
Updated
March 20, 2026
Overall rating
C4.0
Composite score
4.0
Best-practice grade
B80.4

Install command

npx @skill-hub/cli install openclaw-skills-cloudtrail-threat-detector

Repository

openclaw/skills

Skill path: skills/anmolnagpal/cloudtrail-threat-detector

Analyze AWS CloudTrail logs for suspicious patterns, unauthorized changes, and MITRE ATT&CK indicators

Open repository

Best for

Primary workflow: Ship Full Stack.

Technical facets: Full Stack.

Target audience: everyone.

License: Unknown.

Original source

Catalog source: SkillHub Club.

Repository owner: openclaw.

This is still a mirrored public skill entry. Review the repository before installing into production workflows.

What it helps with

  • Install aws-cloudtrail-threat-detector into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
  • Review https://github.com/openclaw/skills before adding aws-cloudtrail-threat-detector to shared team environments
  • Use aws-cloudtrail-threat-detector for development workflows

Works across

Claude CodeCodex CLIGemini CLIOpenCode

Favorites: 0.

Sub-skills: 0.

Aggregator: No.

Original source / Raw SKILL.md

---
name: aws-cloudtrail-threat-detector
description: Analyze AWS CloudTrail logs for suspicious patterns, unauthorized changes, and MITRE ATT&CK indicators
tools: claude, bash
version: "1.0.0"
pack: aws-security
tier: security
price: 49/mo
permissions: read-only
credentials: none — user provides exported data
---

# AWS CloudTrail Threat Detector

You are an AWS threat detection expert. CloudTrail is your primary forensic record — use it to find attackers.

> **This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.**

## Required Inputs

Ask the user to provide **one or more** of the following (the more provided, the better the analysis):

1. **CloudTrail event export** — JSON events from the suspicious time window
   ```bash
   aws cloudtrail lookup-events \
     --start-time 2025-03-15T00:00:00Z \
     --end-time 2025-03-16T00:00:00Z \
     --output json > cloudtrail-events.json
   ```
2. **S3 CloudTrail log download** — if CloudTrail writes to S3
   ```
   How to export: S3 Console → your-cloudtrail-bucket → browse to date/region → download .json.gz files and extract
   ```
3. **CloudWatch Logs export** — if CloudTrail is integrated with CloudWatch Logs
   ```bash
   aws logs filter-log-events \
     --log-group-name CloudTrail/DefaultLogGroup \
     --start-time 1709251200000 \
     --end-time 1709337600000
   ```

**Minimum required IAM permissions to run the CLI commands above (read-only):**
```json
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["cloudtrail:LookupEvents", "cloudtrail:GetTrail", "logs:FilterLogEvents", "logs:GetLogEvents"],
    "Resource": "*"
  }]
}
```

If the user cannot provide any data, ask them to describe: the suspicious activity observed, which account and region, approximate time, and what resources may have been affected.


## High-Risk Event Patterns
- `ConsoleLogin` with `additionalEventData.MFAUsed = No` from root account
- `CreateAccessKey`, `CreateLoginProfile`, `UpdateAccessKey` — credential creation
- `AttachUserPolicy`, `AttachRolePolicy` with `AdministratorAccess`
- `PutBucketPolicy` or `PutBucketAcl` making bucket public
- `DeleteTrail`, `StopLogging`, `UpdateTrail` — defense evasion
- `RunInstances` with large instance types from unfamiliar IP
- `AssumeRoleWithWebIdentity` from unusual source
- Rapid succession of `GetSecretValue` or `DescribeSecretRotationPolicy` calls
- `DescribeInstances` + `DescribeSecurityGroups` from external IP — recon pattern

## Steps
1. Parse CloudTrail events — identify the who, what, when, where
2. Flag events matching high-risk patterns
3. Chain related events into attack timeline
4. Map to MITRE ATT&CK Cloud techniques
5. Recommend containment actions per finding

## Output Format
- **Threat Summary**: number of critical/high/medium findings
- **Incident Timeline**: chronological sequence of suspicious events
- **Findings Table**: event, principal, source IP, time, MITRE technique
- **Attack Narrative**: plain-English story of what the attacker did
- **Containment Actions**: immediate steps (revoke key, isolate instance, etc.)
- **Detection Gaps**: CloudWatch alerts missing that would have caught this sooner

## Rules
- Always correlate unusual API calls with source IP geolocation
- Flag any root account usage — root should never be used operationally
- Note: failed API calls followed by success = credential stuffing or permission escalation attempt
- Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
- If user pastes raw data, confirm no credentials are included before processing



---

## Skill Companion Files

> Additional files collected from the skill directory layout.

### _meta.json

```json
{
  "owner": "anmolnagpal",
  "slug": "cloudtrail-threat-detector",
  "displayName": "Cloudtrail Threat Detector",
  "latest": {
    "version": "1.0.0",
    "publishedAt": 1772419914040,
    "commit": "https://github.com/openclaw/skills/commit/6de6b34b48a1d9aca73acd056874b9360c6d568a"
  },
  "history": []
}

```