analyst security skill risk: medium

Cloud Storage Access Anomaly Detector

Provides instructions, prerequisites, and steps to query cloud storage logs, build access baselines, detect anomalies such as after-hours access or bulk downloads, and generate pri…

External action: medium

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: analyzing-cloud-storage-access-patterns
description: "Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS"
---
# Analyzing Cloud Storage Access Patterns


## When to Use

- When investigating security incidents that require analyzing cloud storage access patterns
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques

## Prerequisites

- Familiarity with cloud security concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Instructions

1. Install dependencies: `pip install boto3 requests`
2. Query CloudTrail for S3 Data Events using AWS CLI or boto3.
3. Build access baselines: hourly request volume, per-user object counts, source IP history.
4. Detect anomalies:
   - After-hours access (outside 8am-6pm local time)
   - Bulk downloads: >100 GetObject calls from single principal in 1 hour
   - New source IPs not seen in the prior 30 days
   - ListBucket enumeration spikes (reconnaissance indicator)
5. Generate prioritized findings report.

```bash
python scripts/agent.py --bucket my-sensitive-data --hours-back 24 --output s3_access_report.json
```

## Examples

### CloudTrail S3 Data Event
```json
{"eventName": "GetObject", "requestParameters": {"bucketName": "sensitive-data", "key": "financials/q4.xlsx"},
 "sourceIPAddress": "203.0.113.50", "userIdentity": {"arn": "arn:aws:iam::123456789012:user/analyst"}}
```

INPUTS

bucket REQUIRED

target cloud storage bucket

e.g. my-sensitive-data

hours-back REQUIRED

lookback period in hours

e.g. 24

output REQUIRED

output file path

e.g. s3_access_report.json

REQUIRED CONTEXT

CloudTrail Data Events or equivalent logs
bucket name
time window

OPTIONAL CONTEXT

Python environment
test/lab access

TOOLS REQUIRED

code_execution

EXPECTED OUTPUT

Format

structured_report

Constraints

include prioritized findings
follow the 5-step analysis process
use provided anomaly rules

EXAMPLES

Includes one CloudTrail S3 Data Event JSON example.

CAVEATS

Missing context

Exact structure or template for the prioritized findings report
Instructions or libraries for querying GCS and Azure Blob Storage

Ambiguities

Description sentence is truncated after 'GCS'

QUALITY

OVERALL: 0.60
CLARITY: 0.70
SPECIFICITY: 0.55
REUSABILITY: 0.65
COMPLETENESS: 0.50

IMPROVEMENT SUGGESTIONS

Complete the truncated description sentence.
Add steps or code examples for GCS and Azure in the Instructions section.
Specify required output fields or schema for s3_access_report.json.

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.