securebytes.net
← All projects

PROJECT — IN PROGRESS

AWS Detection Engineering Portfolio

May 5, 2026

The pivot project. Three to four Sigma rules covering common AWS IAM privilege-escalation techniques, each one validated by actually running the attack in a controlled lab and confirming the rule fires against the resulting CloudTrail telemetry.

Why this exists

Detection rules are usually written from documentation. That works, but it leaves a gap: did the rule actually fire on the real telemetry the attack produces, or just on the telemetry I imagined it would produce? Closing that gap is the whole point.

The loop for each rule:

  1. Stand up a vulnerable scenario in CloudGoat (Rhino Security Labs’ AWS attack range)
  2. Execute the attack with Stratus Red Team (atomic attack simulator for cloud)
  3. Capture the resulting CloudTrail events
  4. Author the Sigma rule against the captured event shape
  5. Re-run the attack and verify the rule fires
  6. Run baseline activity and verify the rule doesn’t false-positive
  7. Tear the lab down

Every rule that ships has been through all seven steps.

Scope

Initial focus: IAM privilege escalation. Specifically the techniques in the Rhino Security IAM privesc taxonomy — iam_privesc_by_attachment is the first scenario.

Scope is deliberately narrow. Three to four shipped rules is the target. Four working detection rules in a public repo is more credible than thirty drafted ones.

What’s done

  • Local toolchain verified: AWS CLI 2.34.42, Python 3.9.6, Terraform 1.15.1
  • CloudGoat installed in a Python virtual environment
  • AWS account and IAM user provisioned for lab use
  • Repository scaffolding planned, dual-repo discipline (private internal + sanitized public) carried over from securebytes-platform

What’s next

  • First scenario stand-up (iam_privesc_by_attachment)
  • Stratus Red Team attack execution
  • CloudTrail capture and event shape analysis
  • First Sigma rule + the full validation loop

A walkthrough post will follow each rule shipped — what the attack actually does in CloudTrail, where the rule trips on it, and the false-positive surface area I had to design around. Detection content is only as good as the writeup that explains why it works.

Stack

AWSSigmaCloudGoatStratus Red TeamCloudTrailPython