May 29, 2026
AWS Detection + Blue Team
Phase 4 notes: AWS detection, CloudTrail analysis, Athena queries, Macie, Security Hub, Amazon Detective, and credential abuse response.
research
Phase 4 — AWS Detection + Blue Team
Phase Summary
Completed 5 labs (4 Blue / 1 Purple) focused on detecting cloud attacks, investigating suspicious activity, and improving AWS security posture.
Now learn how defenders detect the attacks you practiced in the earlier AWS phases.
Learning Objectives
- Detect IAM compromise patterns with CloudTrail and Athena.
- Use managed AWS security services to surface risky S3 data and posture gaps.
- Understand how credential abuse appears in cloud audit telemetry.
- Practice investigation workflows with Amazon Detective.
- Connect red-team behavior to defensive logging, triage, and mitigation.
Lab Path
| Order | Lab | Type | Summary |
|---|---|---|---|
| 19 | Identify IAM Breaches with CloudTrail and Athena | 🔵 Blue | Use CloudTrail and Athena to detect IAM attacks and compromised users. |
| 20 | Secure S3 with Amazon Macie | 🔵 Blue | Discover sensitive data and risky S3 bucket permissions. |
| 21 | Reveal Hidden Risks with AWS Security Hub CSPM | 🔵 Blue | Learn AWS Security Hub and cloud posture management. |
| 22 | Execute and Identify Credential Abuse in AWS | 🔴/🔵 Purple | Practice credential abuse and learn detection/mitigation. |
| 23 | Investigate Threats with Amazon Detective | 🔵 Blue | Learn Amazon Detective for investigating security events. |
Key Knowledge After Phase 4
- CloudTrail is the defensive source of truth for AWS control-plane activity and IAM abuse investigations.
- Athena makes raw cloud logs operational, especially when looking for login anomalies, unusual API calls, and compromised identities.
- Macie helps prioritize S3 data risk by combining sensitive-data discovery with bucket exposure context.
- Security Hub supports CSPM workflows by centralizing findings and surfacing posture issues across services.
- Amazon Detective improves investigation speed by connecting identities, resources, findings, and behavior into a clearer timeline.
- Credential abuse detection requires context, including user baseline, source IPs, regions, access keys, API sequences, and remediation steps.