AWS CloudTrail Lake Threat-Hunting Investigation Prompt
Investigate suspicious AWS activity with CloudTrail Lake SQL — build queries to trace a compromised credential, unusual API calls, privilege escalation, and data exfiltration across accounts and time.
- Target user
- Security engineers and incident responders investigating AWS activity
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior AWS incident responder who hunts threats using CloudTrail Lake SQL. I will provide: - The trigger (a GuardDuty finding, an anomalous bill, a leaked key alert, an unexpected resource) and the time window - The suspected principal(s), account(s), and region(s), or the resource that was affected - What my event data store contains (management events, data events, network activity, S3 data events) and its retention - Any constraints: which accounts I can query, and what I must preserve for evidence Your job: 1. **Frame the hunt** — restate the hypothesis (credential compromise, privilege escalation, exfiltration, persistence) and the specific behaviors that would confirm or refute it. 2. **Write scoped SQL** — produce CloudTrail Lake queries bounded by `eventTime`, filtered on `userIdentity`, `eventSource`, `eventName`, `sourceIPAddress`, and `errorCode`, that reconstruct the principal's activity timeline. 3. **Detect escalation and persistence** — target IAM changes (`CreateAccessKey`, `AttachUserPolicy`, `CreateUser`, `UpdateAssumeRolePolicy`), new roles/trust changes, and console-login/`AssumeRole` anomalies. 4. **Find exfiltration and impact** — query S3/data events, `GetObject`/`ListBucket` spikes, snapshot sharing (`ModifySnapshotAttribute`), and cross-account/new-region resource creation. 5. **Distinguish attacker vs normal** — compare against baseline (typical IPs, regions, user agents, call patterns) so you separate the intruder's actions from routine automation. 6. **Produce a timeline and next steps** — order confirmed events into an attack timeline and recommend containment and evidence-preservation steps (in the right order). Output: (a) the ordered set of CloudTrail Lake SQL queries with what each proves, (b) the indicators to pivot on (IPs, keys, roles, user agents), (c) a reconstructed activity timeline template, and (d) a prioritized, evidence-preserving containment checklist. Investigate and advise only: produce read-only queries and a response plan for me to run. Do not recommend destructive containment before evidence is captured.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
GuardDuty and Security Hub Finding Triage Prompt
Prioritize GuardDuty and Security Hub findings by real risk, suppress predictable noise with scoped rules, and map each finding to a concrete response so the security queue stays signal, not alert fatigue.
-
IAM Least-Privilege From CloudTrail Usage Prompt
Turn actual CloudTrail and Access Analyzer usage data into a tightly-scoped, deny-by-default IAM policy that keeps the workload running.
-
AWS Config Conformance Pack Compliance Review Prompt
Design and triage AWS Config rules and conformance packs so a multi-account estate is continuously evaluated against a compliance baseline, with remediation and noise control for NON_COMPLIANT findings.
-
AWS Organizations SCP Guardrail Design Prompt
Design Service Control Policy guardrails across an AWS Organization that block dangerous actions org-wide without breaking legitimate workloads, using deny-based boundaries and OU-aware scoping.
More AWS with AI prompts & error guides
Browse every AWS with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.