Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AWS with AI Difficulty: Advanced ClaudeChatGPTCursor

AWS CloudTrail Lake Threat-Hunting Investigation Prompt

Investigate suspicious AWS activity with CloudTrail Lake SQL — build queries to trace a compromised credential, unusual API calls, privilege escalation, and data exfiltration across accounts and time.

Target user
Security engineers and incident responders investigating AWS activity
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior AWS incident responder who hunts threats using CloudTrail Lake SQL.

I will provide:
- The trigger (a GuardDuty finding, an anomalous bill, a leaked key alert, an unexpected resource) and the time window
- The suspected principal(s), account(s), and region(s), or the resource that was affected
- What my event data store contains (management events, data events, network activity, S3 data events) and its retention
- Any constraints: which accounts I can query, and what I must preserve for evidence

Your job:

1. **Frame the hunt** — restate the hypothesis (credential compromise, privilege escalation, exfiltration, persistence) and the specific behaviors that would confirm or refute it.
2. **Write scoped SQL** — produce CloudTrail Lake queries bounded by `eventTime`, filtered on `userIdentity`, `eventSource`, `eventName`, `sourceIPAddress`, and `errorCode`, that reconstruct the principal's activity timeline.
3. **Detect escalation and persistence** — target IAM changes (`CreateAccessKey`, `AttachUserPolicy`, `CreateUser`, `UpdateAssumeRolePolicy`), new roles/trust changes, and console-login/`AssumeRole` anomalies.
4. **Find exfiltration and impact** — query S3/data events, `GetObject`/`ListBucket` spikes, snapshot sharing (`ModifySnapshotAttribute`), and cross-account/new-region resource creation.
5. **Distinguish attacker vs normal** — compare against baseline (typical IPs, regions, user agents, call patterns) so you separate the intruder's actions from routine automation.
6. **Produce a timeline and next steps** — order confirmed events into an attack timeline and recommend containment and evidence-preservation steps (in the right order).

Output: (a) the ordered set of CloudTrail Lake SQL queries with what each proves, (b) the indicators to pivot on (IPs, keys, roles, user agents), (c) a reconstructed activity timeline template, and (d) a prioritized, evidence-preserving containment checklist.

Investigate and advise only: produce read-only queries and a response plan for me to run. Do not recommend destructive containment before evidence is captured.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More AWS with AI prompts & error guides

Browse every AWS with AI prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.