we45 - Purple Team AWS (VIRTUAL)

May 17th and 18th

Course Abstract

With companies moving and operating extensively on the AWS Cloud, security remains a key challenge for professionals and organizations everywhere. This training is an extensive deep-dive into Attack, Detect and Defense implementations within AWS. The training is dedicated to cookbook-style “Attack, Detect and Defence” cyber-ranges. The aim of this training is to take the participant through a journey of highly practical, scalable and granular knowledge of AWS offense, defense and security automation. Our fundamental objective is that, after walking out of this class, the participant should be able to immediately apply this knowledge to AWS environments in their workplace. This class is an intense, deep-dive experience into Security on AWS. We’d like participants to explore practical implementations of full-fledged environments, rather than have a surface-level understanding of attack and defense in AWS. Participants will walk away with long-term access to our online training portal and labs


Day 1

Lay of the Land: Introduction and Overview

  • AWS Security Overview
  • Shared Responsibility Model
  • Walkthrough of Breaches on AWS

AWS Automation Primer

  • Cloudformation overview
  • Terraform Overview and Mini-Tutorial
  • CDK overview and mini-Tutorial

Story: Amazon EC2 Attack, Detect and Defense Lab The stack deployed in this Lab has 2 separate VPC networks(VPC-1 & VPC-2). All of the internal-sensitive services are run on VPC-2 which can only be contacted via. VPC-1. The client-facing application is deployed on VPC-1, which can be accessed publicly.

Attack Story Concept Coverage

  • Insecure Metadata Service on EC2
  • Insecure VPC Configuration along with IAM privilege misconfiguration
  • Adversary objective os to perform data exfiltration from internal assets deployed across VPCs

Detect Topics and Mini-Labs

  • VPC Flow Logs for cloudwatch metrics to set alarm
  • GuardDuty
  • We are using cloudwatch log insights to query the malicious activities
  • We are using steampipe (query language tool) to check the security misconfiguration in AWS
  • EC2 State Change Events + Lambda + SNS => Slack

Defense Topics and Mini-Labs

  • Enabled IMDSv2
  • NACL on VPCs
  • Hardening with specific Security Groups
  • IAM Tag based condition for VPC

Day 2

Story: Lambda Privilege Escalation Attack, Detect and Defense The application is a SEO optimizer, where we analyze website performance and store the files into S3 bucket and store other values in DynamoDB. In this application we are using lambda function and API gateway as an endpoint.

Attack Story Concepts

  1. Insecure AWS Lambda function stack
  2. IAM misconfiguration
  3. Misconfigured security parameters on S3 and DynamoDB

Detect Topics and Mini Labs

  • Enable Cloudtrail and store in S3 bucket for offline analysis using Athena
  • Also Enabled Cloud watch metrics alarm

Defense Topics and Mini Labs

  • Lambda least privilege per function with restricted resources
  • Fix the application vulnerability
  • Scan Lambda Function with Automated Security Tools

Story: Amazon Elastic Beanstalk Attack, Detect and Defense

Attack Story Concepts

  • Privilege Escalation on Elastic Beanstalk
  • Privilege Escalation involving Amazon KMS, S3 and so on

Detect Topics and Mini-Labs

  • Event driven logs and possibly alerts based on Cloudtrail API calls for KMS decrypt calls
  • Use of GuardDuty to identify credential compromise

Defense Topics and Mini-Labs

  • IMDSv2 to prevent Metadata credential compromise from SSRF/Path Traversal
  • Fix SSRF or Path Traversal in the Application
  • AWS KMS Deep-dive with the correct usage of Envelope encryption as a substitute to the insecure use of AES-CBC (vulnerable to Padded Oracle Attacks)

Security Automation and Cloud-Native DevSecOps

  • Using AWS Security Hub to auto remediate the vulnerability
  • Automated Security Assessment with Fargate, Lambda and Slack
  • Integrate Security tools with AWS Security Hub
  • CI/CD Pipelines with Step Functions, Lambda and Fargate
  • Query your AWS Environment for Security Issues with Cartography
  • Github Actions - Integrated with AWS for AWS CI/CD

In addition

  • Explore KMS
  • AWS Organization

Who Should Attend

  • Cloud Professionals - AWS
  • Pentesters
  • Cloud Security Practitioners
  • Red-Teamers
  • DevOps professionals
  • DevSecOps Professionals
  • Application Security Professionals

What You Need

  • Laptop or Tablet computing devices with browser that can connect to the internet with Wifi
  • Please ensure that you use devices that are not bound with an extremely strict Web Proxy/DLP


Abhay Bhargav Founder, we45

Abhay Bhargav is the Founder of we45 and Chief Research Officer at AppSecEngineer, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of "Orchestron", a leading Application Vulnerability Correlation and Orchestration Framework. He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps, focused on Application Security Automation. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security, namely Containers, Orchestration and Serverless Architectures. Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan), BlackHat USA, SHACK and so on.

Return to training sessions