astronaut
Logbook
Web Security • Research • CTF
Menu
May 29, 2026

AWS Detection + Blue Team

Phase 4 notes: AWS detection, CloudTrail analysis, Athena queries, Macie, Security Hub, Amazon Detective, and credential abuse response.

research

Phase 4 — AWS Detection + Blue Team

Phase Summary

Completed 5 labs (4 Blue / 1 Purple) focused on detecting cloud attacks, investigating suspicious activity, and improving AWS security posture.

Now learn how defenders detect the attacks you practiced in the earlier AWS phases.

Learning Objectives

  • Detect IAM compromise patterns with CloudTrail and Athena.
  • Use managed AWS security services to surface risky S3 data and posture gaps.
  • Understand how credential abuse appears in cloud audit telemetry.
  • Practice investigation workflows with Amazon Detective.
  • Connect red-team behavior to defensive logging, triage, and mitigation.

Lab Path

OrderLabTypeSummary
19Identify IAM Breaches with CloudTrail and Athena🔵 BlueUse CloudTrail and Athena to detect IAM attacks and compromised users.
20Secure S3 with Amazon Macie🔵 BlueDiscover sensitive data and risky S3 bucket permissions.
21Reveal Hidden Risks with AWS Security Hub CSPM🔵 BlueLearn AWS Security Hub and cloud posture management.
22Execute and Identify Credential Abuse in AWS🔴/🔵 PurplePractice credential abuse and learn detection/mitigation.
23Investigate Threats with Amazon Detective🔵 BlueLearn Amazon Detective for investigating security events.

Key Knowledge After Phase 4

  1. CloudTrail is the defensive source of truth for AWS control-plane activity and IAM abuse investigations.
  2. Athena makes raw cloud logs operational, especially when looking for login anomalies, unusual API calls, and compromised identities.
  3. Macie helps prioritize S3 data risk by combining sensitive-data discovery with bucket exposure context.
  4. Security Hub supports CSPM workflows by centralizing findings and surfacing posture issues across services.
  5. Amazon Detective improves investigation speed by connecting identities, resources, findings, and behavior into a clearer timeline.
  6. Credential abuse detection requires context, including user baseline, source IPs, regions, access keys, API sequences, and remediation steps.