Simulate AWS Cloud Attacks with Real-World Techniques

Cloud attack simulations cheat sheet and tools

How can you tell if your threat detection measures are working in AWS? Or that your security controls and incident response playbooks are effective?

One effective approach is to simulate real-world attack techniques, and see if it detects them or works as expected!

Sounds awesome, but how do I do that? Won’t that take a bunch of work?

It definitely would if you started from scratch, but turns out there are some awesome open source tools that do exactly that. Let’s take a look at a few, and I’ll include a link at the end with multiple other tools similar to these:

  • Red Canary’s Atomic Red Team™
  • DataDog’s Stratus Red Team
  • Amazon’s GuardDuty tester
  • and more (keep reading)

Let’s take a closer look at each of these.

🔴 Red Canary’s Atomic Red Team™

Atomic Red Team is — in a word — a beast. It’s an impressive library of tests that security teams can use to execute simulated adversarial attacks, which can help you identify whether your defenses are working as expected or not. It’s even mapped to MITRE ATT&CK®.

While this tool has multiple scenarios for cloud environments, it wasn’t specifically designed for the cloud. That’s where this next tool shines…

🔴 DataDog’s Stratus Red Team

Stratus Red Team was designed for the cloud and it includes tests for AWS, Azure, GCP, and Kubernetes.

For example, to retrieve a bunch of secrets stored in Amazon’s Secrets Manager, you can detonate this module:

> stratus detonate aws.credential-access.secretsmanager-batch-retrieve-secretsCode language: CSS (css)

What’s most impressive about this tool (at least to me) is how it creates its own required changes to detonate a TTP, keeps track of state, and then cleans up the resources. This is a lot easier said than done and quite impressive of an implementation.

🔴 Amazon’s GuardDuty tester

This one is a lot more specific because it’s really only focused on testing that you’ve successfully enabled Amazon GuardDuty in your environment(s) and it helps show examples of findings. Helpful, but limited and much more narrowly scoped than the prior two, and as compared to the rest of the list below. You can check it out here.

We’ve added more tools like these to simulate attacks against your cloud environments (including AWS, Azure, GCP, and Kubernetes). Check them out on CloudSec.Cybr

If you know anyone who needs to test their cloud defenses, don’t forget to share this with them!

Related Articles


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.