Analysis updated 2026-05-18
Study a worked example of investigating AWS CloudTrail logs for misconfigurations
Learn how to map security findings to the MITRE ATT&CK framework
See a sample remediation checklist for root account and logging issues
| will75g/soc-day16-aws-cloud-security-investigation | 0xkinno/neuralvault | 0xmayurrr/ai-contractauditor | |
|---|---|---|---|
| Stars | 1 | 1 | 1 |
| Language | — | TypeScript | TypeScript |
| Setup difficulty | easy | hard | easy |
| Complexity | 1/5 | 4/5 | 2/5 |
| Audience | researcher | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
This repository is a written lab report for Day 16 of a SOC (Security Operations Center) analyst training series. It documents a hands on AWS cloud security investigation exercise using AWS CloudTrail to examine account activity and identify security misconfigurations. The scenario involves creating a CloudTrail trail, a logging service that records every action taken in an AWS account, and reviewing the resulting event history. The investigation analyzed 11 management events and found two problems. The first, classified as high severity, was that the root account, the master account with full access to all AWS services and resources, had been used without multi factor authentication enabled. The second finding was that log file validation was disabled, meaning someone could potentially alter the log records without detection. A third event that initially appeared suspicious, activity from a user named onboarding, was confirmed to be an automated AWS internal service, not a human. Each finding is mapped to the MITRE ATT&CK framework, a widely used reference for categorizing attacker tactics and techniques. The report also includes remediation recommendations: enable MFA on the root account, turn on log file validation, create a dedicated IAM admin user for daily tasks instead of using root, and enable AWS GuardDuty for automated threat detection. The repository contains the README write up alongside screenshots documenting each step of the investigation. It is structured as a learning exercise showing the workflow a cloud security analyst follows when investigating suspicious AWS activity. The full README is longer than what was shown.
A hands on lab report showing how an analyst investigates AWS account activity with CloudTrail to find security misconfigurations.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.