↳ Project /06AWS · Platform · Security
Cloud Security Lab
An end-to-end attack, detect, and respond lab across AWS and Kubernetes, executing a full MITRE ATT&CK kill chain and the detection and response controls that catch it.
Pacu
leaked IAM creds
PrivEsc
1k → 15k perms
S3 Exfil + STS
lateral movement
CloudTrail
+ VPC Flow Logs
OpenSearch
kill-chain SIEM
GuardDuty
IAM threat
Falco + OPA
K8s runtime
EventBridge λ
disable keys
/01Problem
Detection rules are only trustworthy if you have seen them fire against a real attack. This lab builds both sides: an offensive kill chain and the defensive controls that should catch it, so detection efficacy is demonstrated rather than assumed.
/02Attack
- Pacu executes a full MITRE ATT&CK kill chain: leaked IAM credentials, permission enumeration, privilege escalation from 1,039 to 15,319 permissions via policy attachment.
- Then S3 exfiltration of staged PII and lateral movement via STS role assumption.
/03Detect & Respond
- CloudTrail and VPC Flow Logs feed an OpenSearch SIEM with a kill-chain correlation dashboard.
- GuardDuty findings on IAM threats trigger an EventBridge rule that fires a Lambda to automatically disable compromised access keys.
- On Kubernetes, Falco runs as a DaemonSet with four custom rules catching 100% of simulated runtime attacks: shell spawning, sensitive file reads, unauthorized binary execution, and container escape via host mount.
- OPA Gatekeeper enforces three constraint templates blocking privileged containers, host namespace access, and root execution across all non-system namespaces.
/04Outcome
A closed loop from exploitation to automated containment, with every control demonstrated against a live attack rather than described in the abstract.
62 Terraform resources across 7 modules, deployable and destroyable on demand.
GuardDutyOpenSearchFalcoOPA GatekeeperEventBridgeLambdaPacuTerraform