AWS Security - The Purple Team Way

This training is designed for security engineers, SOC analysts, incident responders, and anyone who wants to truly understand AWS security through hands-on work. By the end of the session, you’ll have a deep understanding on how real attack and defense techniques work in AWS, being able to understand the hardening requirements, replicate attacks, generate detection use cases, and execute forensic techniques.

Full Agenda

• Phase 1: Attacking The Cloud

  • From Initial Access to Privilege Escalation

    • Understanding AWS IAM in full

    • Lateral Movement with IAM

    • Malware Analysis of Team TNT Infostealer

    • Getting Credentials from Missconfigurations

    • Privilege Escalation via IAM policies

    • Privilege Escalation via IAM Roles

    • Privilege Escalation via Exec to Instances and Containers

  • From Defense Evasion to Persistence

    • Getting Blindspots in the Share Responsibility Model

    • Bypassing Guardduty

    • Understanding how Cloudtrail logs work

    • Tampering Cloudtrail without getting caught

    • Living on the land Techniques

    • Persistence in AWS via SSH implant

    • Persistence in AWS via lotl

• Phase 2: The Blue Team Way

  • Security Detection in AWS

    • Cloudtrail for API Call Logging

    • Understanding the complete supply chain

    • SIEM Integration and Detection Use Case Creation

    • Understanding the Delays in SIEM integration

    • Understanding Event Bridge for Automated Response

    • Hardening Best Practices

  • Incident Response in AWS

    • Using the Cloudtrail Digest to detect tampers

    • Creating an Athena table for Cloudtrail Analysis when SIEM Fails

    • Using Event History as a last resource

    • Forensic Images of EC2 instances

    • Network Isolation of AWS instances

    • AWS Threat Hunting 101

    • How to detect persistence in AWS

Requirements

Participants should have the following ready before the training:

• AWS CLI installed

• Terraform installed

• GitHub account for cloning lab repos

• Knowledge of AWS Security Fundamentals

An email with detailed setup instructions will be sent beforehand.

Trainer

Santiago Abastante
Former Police Officer turned Cloud Security Engineer with over 10 years of incident response expertise. Currently serves as Head of Infrastructure and Security at Solidarity Labs, where he created Dredge, an open-source cloud incident response framework. International speaker at Virus Bulletin, FIRST, Ekoparty, and Hack.Lu, specializing in cloud security across AWS, GCP, Azure, and Kubernetes environments.