whatisgithub

What is soc-day16-aws-cloud-security-investigation?

will75g/soc-day16-aws-cloud-security-investigation — explained in plain English

Analysis updated 2026-05-18

1Audience · researcherComplexity · 1/5Setup · easy

In one sentence

A hands on lab report showing how an analyst investigates AWS account activity with CloudTrail to find security misconfigurations.

Mindmap

mindmap
  root((repo))
    What it does
      SOC training lab report
      AWS CloudTrail investigation
      Documents findings
    Tech stack
      AWS CloudTrail
      AWS GuardDuty
      IAM
      MITRE ATT&CK
    Use cases
      Learn cloud security analysis
      Study CloudTrail log review
      See MFA misconfiguration example
    Audience
      Security students
      SOC trainees
      Cloud beginners

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Study a worked example of investigating AWS CloudTrail logs for misconfigurations

USE CASE 2

Learn how to map security findings to the MITRE ATT&CK framework

USE CASE 3

See a sample remediation checklist for root account and logging issues

What is it built with?

AWS CloudTrailAWS IAMAWS GuardDutyMITRE ATT&CK

How does it compare?

will75g/soc-day16-aws-cloud-security-investigation0xkinno/neuralvault0xmayurrr/ai-contractauditor
Stars111
LanguageTypeScriptTypeScript
Setup difficultyeasyhardeasy
Complexity1/54/52/5
Audienceresearcherdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

So what is it?

This repository is a written lab report for Day 16 of a SOC (Security Operations Center) analyst training series. It documents a hands on AWS cloud security investigation exercise using AWS CloudTrail to examine account activity and identify security misconfigurations. The scenario involves creating a CloudTrail trail, a logging service that records every action taken in an AWS account, and reviewing the resulting event history. The investigation analyzed 11 management events and found two problems. The first, classified as high severity, was that the root account, the master account with full access to all AWS services and resources, had been used without multi factor authentication enabled. The second finding was that log file validation was disabled, meaning someone could potentially alter the log records without detection. A third event that initially appeared suspicious, activity from a user named onboarding, was confirmed to be an automated AWS internal service, not a human. Each finding is mapped to the MITRE ATT&CK framework, a widely used reference for categorizing attacker tactics and techniques. The report also includes remediation recommendations: enable MFA on the root account, turn on log file validation, create a dedicated IAM admin user for daily tasks instead of using root, and enable AWS GuardDuty for automated threat detection. The repository contains the README write up alongside screenshots documenting each step of the investigation. It is structured as a learning exercise showing the workflow a cloud security analyst follows when investigating suspicious AWS activity. The full README is longer than what was shown.

Copy-paste prompts

Prompt 1
Explain the CloudTrail findings in this lab report and why disabled log file validation is risky
Prompt 2
Write a checklist based on this report for securing a new AWS account's root user and logging
Prompt 3
Summarize how this report maps its findings to the MITRE ATT&CK framework

Frequently asked questions

What is soc-day16-aws-cloud-security-investigation?

A hands on lab report showing how an analyst investigates AWS account activity with CloudTrail to find security misconfigurations.

How hard is soc-day16-aws-cloud-security-investigation to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is soc-day16-aws-cloud-security-investigation for?

Mainly researcher.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.