UNPKG

aiwg

Version:

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

aiwg.io

jmagly/aiwg

143 lines (110 loc) 7 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
--- namespace: aiwg name: cloud-forensics description: "AWS, Azure, and GCP forensic investigation covering audit logs, IAM review, storage access, network flows, and compute instance forensics" tools: Bash, Read, Write, Glob, Grep platforms: [all] --- # cloud-forensics Investigates cloud environments for signs of compromise, data exfiltration, privilege escalation, and persistence. Parameterized by cloud provider. Adapts collection procedures to AWS CloudTrail, Azure Monitor/Activity Log, and GCP Cloud Audit Logs. Maps findings to MITRE ATT&CK Cloud techniques. ## Triggers Alternate expressions and non-obvious activations (primary phrases are matched automatically from the skill description): - "CloudTrail" → AWS audit log analysis - "Activity Log" → Azure audit log analysis - "Cloud Audit Logs" → GCP audit log analysis - "IAM review" → cloud identity forensics ## Purpose Cloud forensics requires provider-specific tooling and log sources. An AWS investigation centers on CloudTrail and GuardDuty; Azure on Activity Logs and Defender for Cloud; GCP on Cloud Audit Logs and Security Command Center. This skill selects the appropriate collection path and produces a consistent findings document regardless of provider. ## Behavior When triggered, this skill: 1. **Identify cloud provider and configure access**: - AWS: verify `aws sts get-caller-identity` — record account ID, ARN, and user ID - Azure: verify `az account show` — record subscription ID, tenant ID, and principal - GCP: verify `gcloud auth list` and `gcloud config get-value project` - Prompt for provider if not determinable from environment 2. **AWS — CloudTrail audit log collection**: - List trails: `aws cloudtrail describe-trails` - Check if logging is enabled on all trails and all regions - Pull recent management events: `aws cloudtrail lookup-events --max-results 1000` - Flag high-risk event names: `CreateUser`, `AttachUserPolicy`, `PutRolePolicy`, `AssumeRole`, `GetSecretValue`, `DeleteTrail`, `StopLogging`, `PutBucketPolicy` - Check for CloudTrail log integrity validation status 3. **AWS — IAM review**: - List all IAM users and check for access keys older than 90 days: `aws iam list-users` + `aws iam list-access-keys` - List users with `AdministratorAccess` managed policy - List roles with trust policies allowing external principals or `*` in Principal - Check for recently created or modified IAM entities (within investigation window) - Download and analyze credential report: `aws iam generate-credential-report && aws iam get-credential-report` 4. **AWS — storage and data access**: - List S3 buckets with public access settings: `aws s3api get-public-access-block --bucket <name>` - Check for buckets with server access logging disabled - Review recent S3 data events in CloudTrail if data event logging is enabled - Check Secrets Manager and SSM Parameter Store access events 5. **Azure — Activity Log collection**: - Pull activity log for the investigation window: `az monitor activity-log list --start-time <ISO8601> --end-time <ISO8601>` - Flag high-risk operations: role assignment creation, policy assignments, key vault access, storage account key rotation, VM disk snapshots - Check Defender for Cloud alerts: `az security alert list` 6. **Azure — IAM (RBAC) review**: - List Owner and Contributor role assignments at subscription scope: `az role assignment list --include-classic-administrators` - Flag service principals with no associated application or with expired credentials - Check for recently created managed identities 7. **GCP — Cloud Audit Log collection**: - Query Admin Activity logs: `gcloud logging read 'logName:"cloudaudit.googleapis.com/activity"' --limit=1000` - Query Data Access logs if enabled - Flag: `SetIamPolicy`, `CreateServiceAccountKey`, `ActAs`, `signBlob`, bucket ACL changes - Check Security Command Center findings: `gcloud scc findings list <organization_id>` 8. **GCP — IAM review**: - List project-level IAM bindings: `gcloud projects get-iam-policy <project>` - Flag roles/owner and roles/editor at project or folder scope - List service account keys and flag keys older than 90 days - Check for allUsers or allAuthenticatedUsers bindings on any resource 9. **Compute instance forensics (all providers)**: - List running instances with metadata (creation time, last started, associated IAM role/service account) - Flag instances with public IP addresses that have inbound rules permitting 0.0.0.0/0 on sensitive ports - Check for recently created disk snapshots (potential exfiltration staging) - Review instance serial console output or boot logs where available 10. **Network flow log review**: - AWS: pull VPC Flow Logs for unusual outbound traffic patterns from targeted instances - Azure: pull NSG Flow Logs - GCP: pull VPC Flow Logs - Flag large data transfers, connections to known-bad IPs, and unusual destination ports 11. **Write findings document**: - Save to `.aiwg/forensics/findings/cloud-<provider>-forensics.md` - Sections: identity findings, logging gaps, data access anomalies, network anomalies, persistence indicators ## Usage Examples ### Example 1 — AWS ``` aws investigation ``` Uses the currently configured AWS CLI profile. ### Example 2 — GCP with project ``` gcp forensics --project my-project-id ``` ### Example 3 — Azure ``` azure forensics --subscription 00000000-0000-0000-0000-000000000000 ``` ## Output Locations - Findings: `.aiwg/forensics/findings/cloud-<provider>-forensics.md` - Raw IAM report: `.aiwg/forensics/evidence/cloud-<provider>-iam.json` - Audit log export: `.aiwg/forensics/evidence/cloud-<provider>-audit.json` ## Configuration ```yaml cloud_forensics: investigation_window_hours: 72 high_risk_aws_events: - CreateUser - AttachUserPolicy - PutRolePolicy - DeleteTrail - StopLogging - GetSecretValue key_age_threshold_days: 90 flag_public_instances: true ``` ## References - @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/research-before-decision.md — Verify provider identity and access before collection; detect available log sources - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/evidence-integrity.md — Export and hash cloud artifacts before analysis; record snapshot IDs in custody log - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/red-flag-escalation.md — Escalate when CloudTrail tampering (StopLogging, DeleteTrail) or active IAM privilege escalation is found - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/evidence-preservation/SKILL.md — Cloud evidence (snapshots, log exports) must be preserved per custody procedures - @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/ioc-extraction/SKILL.md — Extract IOCs (suspicious IPs, ARNs, service principal IDs) from cloud audit log findings