I tried the hands-on free lab of Pwned Labs - Breach in the Cloud! 🌩️✨
The Huge Logistics security team provided me with AWS keys to an account that saw some unusual activity. They also gave me AWS CloudTrail logs to investigate. The mission? Confirm the breach by analyzing the CloudTrail logs, identifying the compromised AWS service, and figuring out if any data was exfiltrated.
The lab felt like a purple teaming experience—a blend of both blue and red team activities.
First, I had to investigate like a blue team, going through JSON CloudTrail logs 🗂️.
Then, I switched hats to a red teamer 🧑💻, retracing the attack. Red + Blue = Purple! I absolutely loved this combo. 💜
It also taught me a ton about AWS IAM Policies, CloudTrail, and AWS STS (Security Token Service).
AWS STS is a service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or federated users. It’s commonly used to enable cross-account access and also plays a role in providing federated access for SSO setups.
I was given AWS credentials—an Access Key ID and Secret Access Key.
At first, I thought, “Can I log into the AWS Console using these?” 🤔 But I quickly learned that you cannot directly log in to the AWS GUI console with just an Access Key ID and Secret Access Key. These credentials are meant for programmatic access via AWS CLI or APIs, not for the web interface.
To log into the AWS Console, you need an IAM username and password or need to use federated login methods like Single Sign-On (SSO) or temporary credentials via AWS STS. SSO allows you to use one set of credentials to log into various services—super convenient!
After that realization, I fired up my Kali terminal 🔥 and used the aws configure command to input the access keys. I became temp-user, the one whose account got compromised. Just like in Linux where we use whoami, in AWS CLI, we can use aws sts get-caller-identity to see who we are in the AWS world. Pretty cool, right?
Next, I checked the inline policies attached to temp-user by running:
aws iam list-user-policies --user-name temp-user