A complete AWS security breach simulation demonstrating professional SOC incident response methodology.
End-to-end cloud security incident simulation featuring:
- 3-phase attack chain: Initial access โ Privilege escalation โ Data exfiltration
- Automated forensics: Custom Python tools analyzing 12,000+ CloudTrail events
- Professional documentation: 25-page incident response report with executive summary
- MITRE ATT&CK mapping: 5 techniques across 4 tactics
- NIST SP 800-61 alignment: Structured incident response methodology
| Metric | Value |
|---|---|
| CloudTrail Events Analyzed | 12,444 |
| Suspicious Events Identified | 15 (0.12% signal-to-noise) |
| Attack Scripts Developed | 3 (766 lines of Python) |
| Data Exfiltrated | 4 files (2.52 KB) - PII, healthcare, credentials |
| IOCs Extracted | 2 users, 2 IPs, 2 access keys |
| Documentation | 588 lines (IR report + technical docs) |
AWS service account credentials (dev-api-service) leaked via insecure storage, granting attacker access with overly permissive IAM policy:
s3:*on all bucketsiam:CreateUser+iam:AttachUserPolicy
Phase 1: Reconnaissance (21:01:33 - 21:01:50 UTC)
- 7 enumeration API calls in 17 seconds
- Discovered S3 buckets, IAM users, network topology
Phase 2: Privilege Escalation (21:06:03 - 21:07:32 UTC)
- Created backdoor user
backup-admin - Attached
AdministratorAccesspolicy - Generated persistent access keys
Phase 3: Data Exfiltration (21:11:59 - 21:12:03 UTC)
- Downloaded 4 sensitive files:
customers.csv- PII with SSN and credit cardspatient-records.csv- HIPAA protected healthcare dataapi-keys.txt- Third-party service credentialstransactions.json- Financial transaction records
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ AWS ENVIRONMENT โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ CloudTrail (Multi-Region) โ
โ โโ> Logs all API calls to S3 โ
โ โโ> Log validation enabled (tamper-proof) โ
โ โ
โ Victim Environment โ
โ โโ> IAM: dev-api-service (vulnerable policy) โ
โ โโ> S3: customer-data-027929660855 (sensitive data) โ
โ โโ> IAM: backup-admin (attacker-created backdoor) โ
โ โ
โ GuardDuty (Planned) โ
โ โโ> Automated threat detection (pending activation) โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ FORENSIC INVESTIGATION โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ CloudTrail Logs (1,989 files, 25 MB) โ
โ โโ> 12,444 total events โ
โ โ
โ forensic_analyzer.py โ
โ โโ> Filters to 15 suspicious events โ
โ โโ> Builds attack timeline โ
โ โโ> Extracts IOCs โ
โ โโ> Generates investigation report (JSON) โ
โ โ
โ Incident Response Report (Markdown) โ
โ โโ> Executive summary โ
โ โโ> Technical timeline with evidence โ
โ โโ> Root cause analysis โ
โ โโ> Remediation recommendations โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
cloud-ir-simulation/
โ
โโโ attack-simulation/ # Attack phase artifacts
โ โโโ scripts/
โ โ โโโ reconnaissance.py # Phase 1: Discovery
โ โ โโโ privilege_escalation.py # Phase 2: Backdoor creation
โ โ โโโ data_exfiltration.py # Phase 3: Data theft
โ โโโ mock-data/ # Simulated sensitive data
โ โโโ reconnaissance-report.json # Discovery results
โ โโโ privilege-escalation-report.json
โ โโโ exfiltration-report.json
โ โโโ VULNERABILITIES.md # Security gap analysis
โ โโโ vulnerable-policy.json # Overly permissive IAM policy
โ
โโโ scripts/ # Forensic investigation tools
โ โโโ forensic_analyzer.py # Main analysis tool
โ โโโ guardduty_fetcher.py # GuardDuty integration (planned)
โ
โโโ evidence/ # Investigation artifacts
โ โโโ cloudtrail-logs/ # 12,444 API events (25 MB)
โ โโโ investigation-report.json # Machine-readable findings
โ
โโโ docs/ # Documentation
โ โโโ incident-response-report.md # 25-page IR report
โ โโโ progress-log.md # Session notes
โ โโโ guardduty-integration.md # Future enhancement plan
โ โโโ cloudtrail-bucket-policy.json # Infrastructure config
โ
โโโ detection/ # SIEM rules (future)
| Tactic | Technique | Implementation |
|---|---|---|
| Initial Access | T1078.004 - Valid Cloud Accounts | Compromised AWS credentials |
| Discovery | T1580 - Cloud Infrastructure Discovery | ListBuckets, DescribeInstances |
| Privilege Escalation | T1098.001 - Additional Cloud Credentials | CreateUser, AttachUserPolicy |
| Collection | T1530 - Data from Cloud Storage | GetObject on sensitive S3 files |
| Exfiltration | T1537 - Transfer Data to Cloud Account | Downloaded to attacker system |
- AWS account with appropriate permissions
- Python 3.11+
- AWS CLI configured
- boto3 library
1. Clone and setup:
git clone <repository-url>
cd cloud-ir-simulation
pip install boto3 --break-system-packages2. Configure AWS credentials:
aws configure
# Enter your access key, secret key, and region3. Run forensic analysis:
# Analyze CloudTrail logs to find the attack
python3 scripts/forensic_analyzer.py4. View results:
# Investigation findings (JSON)
cat evidence/investigation-report.json | jq '.'
# Full incident response report (Markdown)
cat docs/incident-response-report.md | less# Phase 1: Reconnaissance
python3 attack-simulation/scripts/reconnaissance.py
# Phase 2: Privilege Escalation
python3 attack-simulation/scripts/privilege_escalation.py
# Phase 3: Data Exfiltration
python3 attack-simulation/scripts/data_exfiltration.pyOverly permissive IAM policy granting service account ability to:
- Access ALL S3 buckets (
s3:*) - Create IAM users (
iam:CreateUser) - Attach ANY policy (
iam:AttachUserPolicy)
- โ S3 data events not logged in CloudTrail
- โ S3 bucket encryption not enabled
- โ No automated alerting (GuardDuty pending activation)
- โ No S3 access logging
- โ Wildcard IAM permissions
- GDPR: Article 32 encryption requirement violated
- HIPAA: Security Rule encryption standard violated
- PCI-DSS: Requirement 3.4 cardholder data protection violated
- Revoke compromised credentials
- Delete backdoor user (
backup-admin) - Implement least-privilege IAM policy
- Enable S3 bucket encryption
- Enable S3 access logging
- Enable GuardDuty for automated threat detection
- Configure CloudWatch alarms for IAM actions
- Enable S3 data event logging
- Deploy AWS Config for compliance
- Implement IAM permission boundaries
Cloud Security:
- AWS CloudTrail forensics
- IAM policy analysis
- S3 security controls
- Threat detection strategies
Incident Response:
- NIST SP 800-61 methodology
- IOC extraction and correlation
- Timeline reconstruction
- Root cause analysis
- Executive reporting
Technical:
- Python automation (1,242 lines)
- Log analysis at scale (12K+ events)
- MITRE ATT&CK framework
- Git version control (10 commits)
- GuardDuty integration (automated findings correlation)
- ELK Stack deployment (centralized log analysis)
- Custom SIEM detection rules
- Automated remediation with Lambda
- AWS Security Hub integration
See docs/guardduty-integration.md for detailed integration plan.
This is a controlled security research project for educational purposes.
- All attack activity conducted in isolated AWS account
- Mock sensitive data used (no real PII)
- Access keys redacted in public documentation
- Complies with AWS Acceptable Use Policy
| Document | Description |
|---|---|
docs/incident-response-report.md |
Complete 25-page IR report |
docs/progress-log.md |
Session-by-session development notes |
attack-simulation/VULNERABILITIES.md |
Security gap analysis |
docs/guardduty-integration.md |
Future enhancement plan |
- NIST SP 800-61 Rev 2 - Incident Response Guide
- MITRE ATT&CK Cloud Matrix - Attack Techniques
- AWS CloudTrail User Guide - Log Analysis
- AWS Security Best Practices - Architecture
Imam Uddin Mohammed
- Cybersecurity Graduate Student @ University of Central Oklahoma
- Focus: Cloud Security, Incident Response, Threat Hunting
This project is for educational purposes. See organization policies regarding security research.
Built with Python ๐ | Powered by AWS โ๏ธ | Aligned with NIST ๐