The big picture
From my recent AWS IR conversations, I have noticed that many professionals, whether internal or external teams, still use the AWS CLI or even the AWS GUI to get their environment context.
When IR teams want to investigate an incident, especially when they arrive at a new customer, they can’t spend time manually modeling the environment. We have the best technologies and AI on our side, and it no longer makes sense to open a GUI to determine which AWS keys and EC2 exist.
Why is context critical?
How would you know if a legitimate application or user created a specific asset or access? Adversaries use the same APIs and methods as administrators and developers. Sometimes, the logs are exactly the same, so the only way to know if a specific activity is malicious or not depends on the context. Context can be – when was it created? Why? Who created it? From which location? User-agent? Etc…
So, we need the context constantly, and we also need to be able to access it in seconds and interact with it quickly without the barriers of a specific CLI or GUI.
How can you use this project?
This project has two parts:
- Get the context and metadata from your AWS environment, where you will end up with one JSON file.
- A simple user interface to interact with your context.
*you can download your specific JSON and upload it to ChatGPT or any favorite LLM chat to ask any questions about it.
AWS has serverless options, so we leveraged Cloudformation and lambda. Thus, you don’t need to perform any manual processes to get all the metadata and context data you need.
All you need to do is provide the proper AWS permissions so that the deployment can create temporary s3 files and invoke the lambda to fetch relevant metadata.
This implementation can also be used constantly to compare current metadata to any historical version.
This proof-of-concept shows how to automate AWS context retrieval for IR and SecOps use cases—with AI-ready integration.
How it works?
✅ Uploads a Lambda function ZIP file to S3
✅ Deploys the necessary AWS infrastructure using CloudFormation.
✅ Invokes the Lambda function to fetch critical security data.
✅ Retrieves and processes the latest IR data from S3.
✅ Cleans up AWS resources automatically post-execution.
🤓🔎 Start working with your context
The full technical installation steps are located here:
https://github.com/tandemtrace-ai/AWSight-IR/tree/main/how-to-install
💡 Why This Matters
Adversaries use the same APIs and methods as administrators and developers, and so context would make a difference in classifying bad actors.
🔹 Speed Matters → We need context mapping in seconds, not minutes or hours.
🔹 AI as a Force Multiplier → Any AI API can work with this, even DeepSeek 🙂
🔹 Scalability → Works across small and large AWS environments.
🔹 Automation & Integration → No more manual querying—let serverless do the work.
Cybersecurity is fundamentally a data challenge. Attackers move fast, but defenders can move faster.
