In this lab, you are tasked with investigating a cybersecurity incident that occurred within a cloud environment, focusing on an attack that exploited several security misconfigurations. The scenario involves a newly launched website by Compliant Secure Store, which, despite its best intentions, left critical gaps in its security posture. These gaps were quickly identified by an attacker who initiated widespread scanning of the environment. During the scan, the attacker discovered an upload feature that processed XML data without proper validation, allowing for the insertion of malicious payloads.
By exploiting this vulnerability, the attacker was able to gain unauthorized access to internal resources, leveraging compromised credentials and misconfigured roles. This allowed the attacker to navigate through the system, exfiltrate sensitive data from S3 buckets, and trigger alerts within AWS services. Unlike traditional GUI-based investigations, this lab focuses exclusively on using CloudWatch Log Insights queries to analyze the attack flow directly from log data. You will write queries to search through Lambda function logs, CloudTrail events, and other AWS service logs to trace the attacker's steps, identify the source of the compromise, and understand the series of actions that enabled the breach. This approach mirrors real-world SOC operations where analysts must efficiently query large volumes of log data to identify security incidents without relying on graphical interfaces.