You will learn about 4 types of unauthorised events that can occur within an AWS account:
- Unauthorised IAM Credential Use
- Ransom events on S3
- Crypto miner Based Security Events
- Server Side Request Forgery (SSRF) with Instance Metadata Service Version 1 (IMDSv1)
“Unauthorised IAM Credential Use” will simulate the unauthorised use of IAM credentials by using a script invoked within AWS CloudShell. The script will perform reconnaissance and privilege escalation activities that are typically performed during events of this nature.
You will also learn some tools and processes to find evidence of unauthorised activity. “Ransom events on S3” will use an AWS CloudFormation template to replicate an environment with multiple IAM users and five Amazon Simple Storage Service (Amazon S3) buckets. AWS CloudShell will then run a script that simulates data exfiltration and deletion events that replicate a ransom-based security event. You will also learn how to use some tools to find evidence of unauthorised S3 bucket and object deletions and access.
“Cryptominer Based Security Events” will simulate a cryptomining security event by using a CloudFormation template to initialise three Amazon Elastic Compute Cloud (Amazon EC2) instances. These EC2 instances will mimic cryptomining activity by performing DNS requests to known cryptomining domains. You will also learn how to use some tools to find evidence of unauthorised creation of EC2 instances and communication with known cryptomining domains.
“Server Side Request Forgery (SSRF) with Instance Metadata Service Version 1 (IMDSv1)” will simulate the unauthorised use of a web application that is hosted on an EC2 instance, configured to use IMDSv1, and vulnerable to SSRF. You will learn how web application vulnerabilities, such as SSRF, can be used to obtain credentials from an EC2 instance. You will also learn how to find evidence of the unauthorised use of EC2 instance credentials.
