analyzing-cloud-storage-access-patterns
@adriannoes · 收录于 1 周前
Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.
适合你,如果你需要监控云存储访问模式并发现潜在安全威胁。
/ 下载安装
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code
~/.claude/skills/(项目级 .claude/skills/)Codex CLI
~/.codex/skills/Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add adriannoes/awesome-vibe-coding/analyzing-cloud-storage-access-patterns/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- adriannoes/awesome-vibe-coding/analyzing-cloud-storage-access-patterns/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify adriannoes/awesome-vibe-coding/analyzing-cloud-storage-access-patterns安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
44GitHub stars
~463最小装载
~463含声明引用
~774文本包总量
镜像托管
怎么用
技能原文 SKILL.md
Analyzing Cloud Storage Access Patterns
When to Use
- When investigating security incidents that require analyzing cloud storage access patterns
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Familiarity with cloud security concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Instructions
- Install dependencies:
pip install boto3 requests - Query CloudTrail for S3 Data Events using AWS CLI or boto3.
- Build access baselines: hourly request volume, per-user object counts, source IP history.
- Detect anomalies:
- After-hours access (outside 8am-6pm local time)
- Bulk downloads: >100 GetObject calls from single principal in 1 hour
- New source IPs not seen in the prior 30 days
- ListBucket enumeration spikes (reconnaissance indicator)
- Generate prioritized findings report.
python scripts/agent.py --bucket my-sensitive-data --hours-back 24 --output s3_access_report.json
Examples
CloudTrail S3 Data Event
{"eventName": "GetObject", "requestParameters": {"bucketName": "sensitive-data", "key": "financials/q4.xlsx"},
"sourceIPAddress": "203.0.113.50", "userIdentity": {"arn": "arn:aws:iam::123456789012:user/analyst"}}按 Apache-2.0 许可原样转载,未经改动 · 在 GitHub 查看 →
评论
登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。
…