flaws2.cloud — Defender Track Index¶
What it is: Incident response walkthrough on AWS. You're given access to a Security account with CloudTrail logs from the Attacker track compromise and cross-account read access to the Target account.
Two accounts:
- Security account 322079859186 — your analyst base, holds the logs
- Target account 653711331788 — the compromised environment
Objectives¶
- Objective 1 — Download CloudTrail logs + what CloudTrail is
- Objective 2 — Access the Target account via cross-account IAM role assumption
- Objective 3 — Use jq to parse and analyse the logs + full attack timeline
- Objective 4 — Identify credential theft from CloudTrail events
- Objective 5 — Identify the public ECR repository
- Objective 6 — Use Athena + Glue to query logs with SQL + full vulnerability summary
Key Concepts Covered¶
| Concept | Where |
|---|---|
| CloudTrail event structure | Objective 1 |
aws s3 sync |
Objective 1 |
Cross-account IAM, trust policies, source_profile |
Objective 2 |
~/.aws/config vs ~/.aws/credentials |
Objective 2 |
jq filters, @tsv, select(), fromjson |
Objective 3 |
ANONYMOUS_PRINCIPAL vs AWSService vs AssumedRole |
Objective 3 |
| Attack timeline reconstruction | Objective 3 |
| Credential theft detection signals | Objective 4 |
iam get-role, trust policy vs permission policy |
Objective 4 |
ECR resource-based policies, Principal: "*" |
Objective 5 |
ecr get-repository-policy, jq fromjson |
Objective 5 |
Athena, Glue Data Catalog, SerDe, CREATE EXTERNAL TABLE |
Objective 6 |
| Partitioning for production cost reduction | Objective 6 |