Sign in Subscribe
Compare

They thought the logs would tell the truth. They were wrong.

Andrios Robert

1 min read

Ad hoc access control is the difference between an open door and a locked vault. Yet in AWS, it’s easy to lose track of who ran what, when, and why. CloudTrail captures it all, but raw event history is a swamp without a map. The challenge is not capturing the data; it’s turning it into a fast, trustworthy answer.

The fastest way to uncover unusual access is to combine ad hoc access control logic with precise CloudTrail queries. With the right query runbooks, you can spot live misconfigurations before they burn you. A runbook turns a one-off hunt into a repeatable step you can execute in seconds. No SSH into random instances. No pulling JSON into a local editor. No guesswork.

Start with scope. Identify the sensitive resources: databases, private APIs, encryption keys. Write access control queries that filter CloudTrail logs by resource name, IAM user or role, and event type. Log every change in permissions. Flag every use of AssumeRole into high-privilege accounts. Template these filters as runbooks so they run on demand, without retyping them each time.

Then go deeper. Correlate query results with IP locations, MFA context, and unusual time-of-day patterns. Investigate spikes in List*, Describe*, or Get* operations — patterns that often precede privilege escalation. Store these runbooks in a shared repository where they can be invoked instantly.

Automation works best when it respects context. A runbook can be tuned to answer exact questions:

  • Who accessed this resource in the last hour?
  • Which admin actions violated our expected IP range?
  • How many permissions changed outside approved change windows?

When runbooks are this specific, ad hoc investigation becomes precise and predictable. What used to take an afternoon of log scrubbing now finishes in under a minute. Misuse is stopped mid-flight.

You can see this working live in minutes. Try it on hoop.dev — load your CloudTrail data, run the queries, and watch ad hoc access control solidify into something you can trust.

Sign up for more like this.

Enter your email
Subscribe