Sign in Subscribe
Concepts

Non-Human Identities CloudTrail Query Runbooks

Andrios Robert

1 min read

The first failure alert hit at 03:12. A non-human identity was making API calls you didn’t expect. CloudTrail had the evidence, buried deep in logs stretching back weeks. You needed answers fast, but the queries were complex, and the runbooks you had were incomplete.

Non-Human Identities CloudTrail Query Runbooks are how you turn a chaotic stream of events into actionable intelligence. These identities include service accounts, IAM roles used by applications, CI/CD pipelines, and automation scripts. They often have broad permissions, making them high-value attack targets. Tracking them in CloudTrail requires precise queries and well-tested runbooks you can deploy in minutes.

A good runbook for non-human identities starts with a focused CloudTrail query: filter by userIdentity.type equals "AssumedRole" or similar non-human types, then break down results by source IP, event name, and time. This reveals unusual patterns, like a build system accessing production or a Lambda function calling forbidden APIs. Each query should be documented with exact parameters, expected output, and steps to interpret findings.

Cluster CloudTrail queries to match real incidents:

  • Access Review: Identify all non-human identities active in a given time window.
  • Unauthorized Action Detection: Search for errorCode fields indicating denied API calls.
  • Privilege Escalation Check: Look for changes to IAM roles or attached policies.
  • Cross-Account Activity: Detect actions from non-human identities accessing external AWS accounts.

Store these queries in version-controlled runbooks. Keep them atomic—one objective per query—so teams can chain them together in incident response. Automate their execution where possible, but maintain manual run paths for when automation breaks or results need verification.

Security teams that master Non-Human Identities CloudTrail Query Runbooks shrink detection time from hours to minutes. They catch anomalies early, trace every API call, and understand patterns before they become incidents. The keyword here is precision: know exactly which fields in CloudTrail matter, and codify them in your runbooks with zero ambiguity.

See how to build, store, and run these CloudTrail queries live in minutes—visit hoop.dev and take control of your non-human identities before the next alert lands.