# AWS ### Data Collection with Storage * External block storage basically acts as a Cloud USB drive allowing the addition of storage to the cloud system. * If you provision more block storage, it will appear automatically in Windows * In Linux we can create a mount point ``` sudo fdisk -l sudo mkdir /mnt/sdh1 && mount /dev/sdh1 /mnt/sdh1 #replace sdh1 with the actual device ``` ### Collection of AWS Storage ``` aws ec2 describe-volume | jq -r '.Volumes[] | select (.AvailabilityZone | contains("us-east-1") ) | .VolumeId' #output will return a volume id aws ec2 attatch-volume --volume-id vol-VOLUME_NUMBER --instance-id INSTANCE_ID --device /dev/sdh ``` ### Cloud Logging * When in possession of Cloud logs, manual analysis is extremely difficult, use automated tools ``` s3logparse.py useragent USER_AGENT_HERE #search for a specific user-agent ``` * Examine the logs in a web server like view ``` zcat /path/to/logs/* > log_flow.txt export LOG_TEXT=/home/logs/log_flow.txt npm run build-graph npm run client #will start on localhost:8080 ``` ### Revoking Cloud Keys * Most compromises have to do with an unauthorized user gaining access to a cloud key * AWS IAM search by username or Key ID by clicking IAM --> Users ``` Set-ADAccountPassword -Identity jack -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "My_Password" -Force) Set-ADAccountPassword -Identity jack -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "My_Password" -Force) ``` * For Azure AD make sure to reset the password twice!!! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/cloud/aws.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.