API call forensics is one of the most important components of cloud incident investigation. In cloud environments, every action—whether by a user, IAM role, service, or attacker—is executed through an API call. This makes API logs the single most valuable source of truth in detecting unauthorized access, privilege escalation, data theft, and resource manipulation.

This chapter explains what API call forensics is, where API logs come from in AWS/Azure/GCP, how attackers abuse APIs, and how investigators analyze API traces to reconstruct incidents.

What Is API Call Forensics?

API call forensics is the process of examining cloud API logs to determine:

Who performed an action
What action was performed
When it happened
Where it came from
Whether it was authorized
Whether it was malicious

In the cloud, there is no “local admin” or direct console access. Everything—from launching VMs to accessing data—is performed via API requests.

Thus, API logs become equivalent to:

Process execution logs
Authentication logs
File access logs
System changes logs

all combined into a single powerful source.

Why API Calls Matter in Cloud Incidents

Attackers abuse cloud APIs to:

Steal data from storage buckets
Create backdoor accounts
Change IAM roles
Disable logging or monitoring
Deploy cryptomining instances
Exfiltrate database contents
Delete or tamper with audit logs

Forensics teams depend on API logs to uncover all of this activity.

Where API Call Logs Come From

AWS API Logs

Primary source: CloudTrail

CloudTrail logs capture every AWS API call, including:

RunInstances — create EC2 VM
GetObject — read S3 bucket file
PutUserPolicy — modify IAM policy
AuthorizeSecurityGroupIngress — open inbound ports
CreateSnapshot — attempt to copy EBS volumes

Fields include:

userIdentity
sourceIPAddress
eventName
eventTime
requestParameters
responseElements

CloudTrail is the central evidence source for AWS incidents.

Azure API Logs

Primary source: Azure Activity Logs

Covers:

Resource creation
Deletion
Key vault access
IAM modifications
Network rule changes

Azure AD logs cover sign-in and identity actions.

GCP API Logs

Primary sources:

Admin Activity Logs
Data Access Logs
System Event Logs

Covers:

IAM modifications
Service account activity
VM operations
Cloud Storage access
BigQuery exports

Types of Malicious API Activity

1. Unauthorized Login or Credential Use

Indicators:

Login from new geolocation
Access keys used outside usual time ranges
Service account abused via stolen tokens
API calls from Tor/VPN IPs

2. Privilege Escalation via APIs

Examples:

Attacker attaches AdministratorAccess policy
Creates a new IAM user
Adds themselves to privileged groups
Modifies custom roles

These actions always appear in API logs.

3. Disabling Logging or Security Tools

Attackers often try to cover their tracks.

Examples:

Deleting CloudTrail trails
Disabling GuardDuty
Disabling Azure Defender
Deleting log buckets

These actions are extremely suspicious.

4. Creating Backdoors

Attackers may:

Create new API keys
Create a new VM with malware installed
Add SSH keys to VM metadata
Launch hidden containers
Create new IAM roles

All such actions are visible in API logs.

5. Data Exfiltration via APIs

Cloud data theft often happens entirely through APIs.

Examples:

S3 GetObject for thousands of files
GCP BigQuery export via jobs.insert
Azure Storage mass downloads
Snapshot creation to steal VM disks

API logs show timestamps, volume, and source IPs.

6. Persistence via API Modifications

Indicators:

New access keys for long-term access
Attacker-created automation scripts
Modified autoscaling groups
Rogue serverless functions

API logs reveal exactly when persistence was created.

How Investigators Analyze API Calls

1. Identify the Actor (User, Role, Service Account)

Check fields:

userIdentity.type
arn
principalEmail
serviceAccountName

Determine if the actor is legitimate or compromised.

2. Validate the Source IP / Location

Compare API IP against:

Known office IPs
Usual geolocations
Cloud provider internal IPs

Suspicious actors often use:

VPNs
Tor
Foreign servers
New ISPs

3. Analyze the Sequence of Actions

Typical attacker pattern:

Login
Enumerate resources
Modify IAM
Access storage
Create VM
Exfiltrate data
Disable logging

Timelines reveal attacker intent.

4. Look for Abnormal API Calls

Examples:

New S3 bucket policy allowing public access
VM creation in unusual region
Access to unfamiliar key vault entries
High-volume Data Access calls

5. Correlate API Calls with Network Logs

Examples:

Outbound traffic spike after S3 downloads
Exfiltration via CloudFront or Azure CDN
BigQuery logs followed by outbound transfers

Tools for API Call Forensics

AWS

CloudTrail
Athena for log querying
GuardDuty
Access Analyzer

Azure

Azure Monitor
Kusto Query Language (KQL)
Azure Sentinel

GCP

Cloud Audit Logs
BigQuery
Chronicle Security

Aggregators

Splunk
Elastic
Wazuh
SIEM/SOAR platforms

Signs of Malicious API Activity (Checklist)

IAM user created unexpectedly
High-frequency API calls
Access from unknown IP ranges
Logging disabled or modified
Roles attached with high privileges
Large amounts of data accessed or downloaded
VM instances spun up without reason
Long execution time of API keys
Activity outside business hours

Intel Dump

API calls are the backbone of cloud forensics because all cloud actions occur through APIs.
AWS CloudTrail, Azure Activity Logs, and GCP Audit Logs record every significant action.
Attackers use APIs for privilege escalation, persistence, data theft, VM deployment, and disabling logging.
Investigators analyze API actor identity, action sequences, source IPs, access patterns, and abnormal usage.
Key evidence includes IAM modifications, storage access logs, resource creation, network rule changes, and exfiltration indicators.