TrailShark: Understanding AWS API and Service Interactions

This blog introduces TrailShark, an open-source tool that feeds AWS CloudTrail events into Wireshark for near-real-time analysis and custom event detection; the authors used it during "Bucket Monopoly" research to uncover six AWS vulnerabilities (ranging from RCE and service takeover to data exposure and DoS) and demonstrate how inner API call visibility can reveal hidden resource creation and suspicious behaviors.