Training Program Agenda

Former Police Officer from Argentina, now a Cloud Incident Responder and Security Engineer with over 10 years of IT experience. A Digital Nomad and international speaker, I've presented on Cloud Security and Incident Response at Ekoparty, FIRST, Virus Bulletin (three times), Hack.Lu, and various BSides events worldwide. I hold a Bachelor's degree in Information Security and an MBA (Master in Business Administration).

Cloud Computing is not trendy anymore, now is part of our daily life as Security Professionals whether we want it or not. The challenge I see everywhere I go is that most cloud security training is a bunch of theory with little technical knowledge behind, which are good for an overview but lack the juice needed for an Engineer or Operational Standpoint. The objective of this training is to provide hands on knowledge, learning by doing.

So, how does it go?

Phase 1: Setting the Lab

Well, I’m going to start by explaining the very few fundamental knowledge they need to have to start their cloud journey, but from a need to know perspective:

• Share Responsibility Model;
• Cloud Segmentation and Regions;
• Fundamental AWS Services;
• Management Plane / Identity and Access Management;
• Cloud Networking Fundamentals;
• Cloud Compute Fundamentals;
• Cloud Storage Fundamentals;
• Infrastructure as Code.

The key part here is the last bullet, infrastructure as code. Why? Because infrastructure as code allows us to have granular control on what we build, what we change and force us to actually be aware of the dependencies that most of the time are handled automatically by the cloud provider when using the GUI. This is critical for a security perspective and to build a cost-effective home lab.

Then, I’m going to demonstrate the first hands on lab, that will consist on:

• Create an AWS Account
• Get AWS Credentials
• Set the AWS Credentials in a workstation
• Quick walkaround in the Console
• Install Terraform
• Set Terraform up in a workstation
• Build the first Terraform code block to build an IAM User.

Knowing this, the attendees will be more familiar with the challenge, and we can go through the second demonstration when we can build something more complex, a Server, using the AWS Free Tier. For us to complete the task, we will need to create with terraform:

• A complete network infrastructure, VPC, Subnets, Security Groups, Route Tables, etc.
• A SSH Key Pair
• The Server Components
• The Server

After these steps, I’ll show them how they can destroy the implementation when they are not using it, and how they can rebuild the lab whenever they need to.

Phase 2: Adding Security

After the creation of the lab, we are going to start doing cloud security with it. So I’m going to explain the theoretical concepts of:

• Cloud Security Fundamentals
• Hardening and Best Practices of AWS Services
• IAM Best Practices for Least Privilege
• Cloud Security Operations Fundamentals
• Logging API Calls in AWS - Cloudtrail
• Security Detection in AWS - Guardduty
• Other Log Sources - ALB / WAF / VPC Flow Logs / ETC
• Introduction to Cloud Forensics

Then we are going to replicate this in the lab, to create.

• An S3 Bucket, and harden it
• A Cloudtrail Trail
• A Guardduty Detector
• A Security Hub Collector
• VPC Flow Logs to the bucket

Then, as a closing demonstration I’ll show them basic attacks to AWS for them to understand how they can get Guardduty Security detections, Cloudtrail Logs and how you should proceed for an investigation in case of a Security Incident.

Requirements: Participants should have the following ready before the training:

• AWS Free Tier account ready
• AWS CLI installed
• Terraform installed
• GitHub account for cloning lab repos

An email with detailed setup instructions will be sent beforehand.

Provided Material:

• Github Repository with the solution to the workshops
• Extra exercises to extend your lab

Final Notes This training is designed for security engineers, SOC analysts, incident responders, and anyone who wants to truly understand AWS security through hands-on work. By the end of the session, you’ll have a fully functional personal AWS security lab you can extend and reuse for further learning. Full Agenda:

• Phase 1: Building the Lab

  • Title 1: Cloud Theory (30 Mins)

  • Share Responsibility Model;

  • Cloud Segmentation and Regions;

  • Fundamental AWS Services;

  • Management Plane / Identity and Access Management;

  • Cloud Networking Fundamentals;

  • Cloud Compute Fundamentals;

  • Cloud Storage Fundamentals;

  • Infrastructure as Code.

  • Title 2: AWS Hands On 101 (15 mins + 30 mins hands on)

  • Create an AWS Account

  • Get AWS Credentials

  • Set the AWS Credentials in a workstation

  • Quick walkaround in the Console

  • Install Terraform

  • Set Terraform up in a workstation

  • Build the first Terraform code block to build an IAM User.

  • Title 3: Lab Building (30 mins + 30 mins hands on)

  • A complete network infrastructure, VPC, Subnets, Security Groups, Route Tables, etc.

  • A SSH Key Pair

  • The Server Components

  • The Server

• Phase 2: AWS Security Fundamentals (30 mins)

  • Title 1: Theory

  • Cloud Security Fundamentals

  • Hardening and Best Practices of AWS Services

  • IAM Best Practices for Least Privilege

  • Cloud Security Operations Fundamentals

  • Logging API Calls in AWS - Cloudtrail

  • Security Detection in AWS - Guardduty

  • Other Log Sources - ALB / WAF / VPC Flow Logs / ETC

  • Introduction to Cloud Forensics

  • Title 2: Advanced Lab Building (15 min + 30 mins hands on)

  • An S3 Bucket, and harden it

  • A Cloudtrail Trail

  • A Guardduty Detector

  • A Security Hub Collector

  • VPC Flow Logs to the bucket

  • Title 3: Introduction to Attack and Defense (30 mins):

  • Basic AWS attack

  • AWS Security Detection with Guardduty

  • Incident Response

  • Forensics with Cloudtrail

Former Police Officer from Argentina, now a Cloud Incident Responder and Security Engineer with over 10 years of IT experience. A Digital Nomad and international speaker, I've presented on Cloud Security and Incident Response at Ekoparty, FIRST, Virus Bulletin (three times), Hack.Lu, and various BSides events worldwide. I hold a Bachelor's degree in Information Security and an MBA (Master in Business Administration).

Cloud platforms like Amazon Web Services (AWS) are foundational to many critical infrastructures and enterprise applications, making them prime targets for attackers. In this session, we will not only explore the most relevant attack vectors cybercriminals use to compromise AWS infrastructures but will also simulate these attacks using known threat actor techniques in an adversary emulation context. From initial access to hardcore persistence, this talk will provide a comprehensive look at how attackers operate in AWS environments.

We will take a technical journey through the tactics, techniques, and procedures (TTPs) employed by attackers at every stage of the threat lifecycle, aligned with the MITRE ATT&CK framework. We’ll start by reviewing common methods of initial access, such as exploiting exposed credentials or vulnerabilities in services like IAM, Lambda, and EC2. From there, we’ll detail how attackers escalate privileges, move laterally, and evade detection from tools like CloudTrail.

The session will conclude with an in-depth look at advanced persistence techniques in AWS, including the manipulation of IAM policies, backdooring Lambda functions or Docker containers, and tampering with logs. Along the way, we’ll demonstrate how security teams can implement defensive and detection strategies to mitigate these risks. By leveraging AWS-native services and third-party tools, attendees will learn how to enhance their incident response capabilities.

This hands-on workshop will give attendees practical, technical insights into AWS security, adversary behavior, and how to better defend against sophisticated, persistent attacks. With only two slides and full hands-on experience, this talk ensures deep technical immersion. Requirements:

• Participants should have the following ready before the training:
• AWS CLI installed
• Terraform installed
• GitHub account for cloning lab repos
• Knowledge of AWS Security Fundamentals

An email with detailed setup instructions will be sent beforehand.

Provided Material:

• Github Repository with the solution to the workshops

Final Notes This training is designed for security engineers, SOC analysts, incident responders, and anyone who wants to truly understand AWS security through hands-on work. By the end of the session, you’ll have a deep understanding on how real attack and defense techniques work in AWS, being able to understand the hardening requirements, replicate attacks, generate detection use cases, and execute forensic techniques.

Full Agenda:

• Phase 1: Attacking The Cloud

  • Title 1: From Initial Access to Privilege Escalation (30 Mins + 30 min hands on)

  • Understanding AWS IAM in full

  • Lateral Movement with IAM

  • Malware Analysis of Team TNT Infostealer

  • Getting Credentials from Missconfigurations

  • Privilege Escalation via IAM policies

  • Privilege Escalation via IAM Roles

  • Privilege Escalation via Exec to Instances and Containers

  • Title 2: From Defense Evasion to Persistence (30 mins + 30 mins hands on)

  • Getting Blindspots in the Share Responsibility Model

  • Bypassing Guardduty

  • Understanding how Cloudtrail logs work

  • Tampering Cloudtrail without getting caught

  • Living on the land Techniques

  • Persistence in AWS via SSH implant

  • Persistence in AWS via lotl

• Phase 2: The Blue Team Way

  • Title 1: Security Detection in AWS (30 min + 30 mins hands on)

  • Cloudtrail for API Call Logging

  • Understanding the complete supply chain

  • SIEM Integration and Detection Use Case Creation

  • Understanding the Delays in SIEM integration

  • Understanding Event Bridge for Automated Response

  • Hardening Best Practices

  • Title 2: Incident Response in AWS (30 min + 30 mins hands on)

  • Using the Cloudtrail Digest to detect tampers

  • Creating an Athena table for Cloudtrail Analysis when SIEM Fails

  • Using Event History as a last resource

  • Forensic Images of EC2 instances

  • Network Isolation of AWS instances

  • AWS Threat Hunting 101

  • How to detect persistence in AWS