fatcousin
// industry vertical

cloud IAM / CSPM forensics

AWS CloudTrail IAM · GCP audit IAM · Azure RBAC · Access Analyzer · Wiz CSPM · Lacework · Orca · Prisma Cloud · Scout Suite · excessive permission correlation across multi-cloud exports.

tools
12
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this vertical.

  1. aws cloudtrail iam anomaly forensic analyzerdrop cloudtrail iam event export · parse user/role + action bursts + deny patterns · runs locally
  2. gcp audit log iam privilege forensic analyzerdrop gcp audit log iam export · parse binding changes + service account keys · runs locally
  3. azure activity log rbac forensic analyzerdrop azure activity log rbac export · parse role assignment + pim activation · runs locally
  4. cloud iam excessive permission correlatordrop 2+ iam/cspm exports · correlate over-privileged principals graph · runs locally
  5. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally

also useful · secondary tools

cross-cutting tools that surface depending on the specific investigation.

  1. aws iam access analyzer finding forensic analyzerdrop access analyzer finding export · parse resource + finding type + status timeline · runs locally
  2. wiz cspm misconfiguration forensic analyzerdrop wiz cspm issue export · parse severity + resource + remediation status · runs locally
  3. lacework cloud security event forensic analyzerdrop lacework alert export · parse policy + entity + anomaly score · runs locally
  4. orca cloud security alert forensic analyzerdrop orca alert export · parse asset + risk factor + attack path hints · runs locally
  5. prisma cloud alert forensic analyzerdrop prisma cloud alert export · parse policy + resource + compliance standard · runs locally
  6. scout suite aws assessment forensic analyzerdrop scout suite html/json assessment export · parse flagged services + rules · runs locally
  7. evidence manifest generatordrop evidence files · compute md5 sha1 sha256 · chain of custody manifest · case number · analyst · export pdf and csv · runs locally

want deeper cloud IAM coverage?

this vertical is intentionally sparse — deep-moat coverage grows over time. tracked in the forensics rollout.

ready