AWS Detection Engineering

Production-quality Sigma rules for AWS IAM privilege escalation, each validated end-to-end against CloudGoat scenarios using Stratus Red Team and CloudTrail.

3–4

target rules

validation steps

false positives tolerated

Why this exists

Detection rules are usually written from documentation. That works, but it leaves a gap: did the rule fire on the real telemetry the attack produces, or just on the telemetry I imagined it would produce? Closing that gap is the whole point.

Three to four shipped rules is the target. Four working detection rules in a public repo is more credible than thirty drafted ones.

Validation loop — every rule

01Stand up a vulnerable scenario in CloudGoat

02Execute the attack with Stratus Red Team

03Capture the resulting CloudTrail events

04Author the Sigma rule against the captured event shape

05Re-run the attack and verify the rule fires

06Run baseline activity and verify no false positives

07Tear the lab down

Current progress

✓Local toolchain verified: AWS CLI, Python, Terraform

✓CloudGoat installed in a Python virtual environment

✓AWS account and IAM user provisioned for lab use

✓Repository scaffolding and dual-repo discipline established

○First scenario stand-up (iam_privesc_by_attachment)

○Stratus Red Team attack execution

○CloudTrail capture and event shape analysis

○First Sigma rule + full validation loop

A walkthrough post follows each rule shipped — what the attack actually does in CloudTrail, where the rule trips on it, and the false-positive surface area designed around. Detection content is only as good as the writeup that explains why it works.

Stack

AWSSigmaCloudGoatStratus Red TeamCloudTrailPython

← Previous

BGP Mesh with Private ASNs

Network Design Lab