research project hosted on AWS. • Deniz, a bright but sneaky intern who just got temporary access. • Prof. Arda, the lead professor who trusts everyone a little too much. • Amazon GuardDuty, the silent guardian. The watchful protector. Scenario 1: The Case of the Intern
predicting earthquakes. All the data and code is stored in: • An S3 bucket (ai-research-data) • A couple of EC2 instances running training jobs • IAM users and roles set up — but with over-permissioned policies Prof. Arda gives Deniz admin-level IAM access by accident. “You’re smart, just don’t touch anything weird.” Spoiler: Deniz touches weird things. Scenario 1: The Case of the Intern
Downloads them from a strange IP in another country. • Spins up a huge EC2 instance to mine crypto under the university's bill. • Disables CloudTrail logs for a few hours. Scenario 1: The Case of the Intern
Christmas tree: • Recon:IAMUser/AnomalousBehavior – unusual use of permissions • UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration – someone tried to use instance credentials outside AWS • Discovery:S3/AnomalousBehavior – sudden, massive download from S3 • CryptoCurrency:EC2/BitcoinTool.B!DNS – EC2 is doing crypto stuff Ece checks the GuardDuty findings, sees Deniz's user involved in everything, and acts fast. Scenario 1: The Case of the Intern
dashboard project using AWS. • Sena, his teammate who handles GitHub and deployment. • CodeBandit, a bot that scrapes public GitHub repos for secrets like API keys. • Amazon GuardDuty, once again the silent superhero. Scenario 2: The GitHub Oops and the Stolen AWS Keys
with programmatic access and generates AWS access keys. Sena accidentally commits a file named .env with this inside: AWS_ACCESS_KEY_ID=AKIA.... AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCY... She pushes it to GitHub... on a public repo. Scenario 2: The GitHub Oops and the Stolen AWS Keys
and someone from a suspicious IP: • Spins up dozens of EC2 instances for crypto mining. • Uploads large files to S3 to use as temporary storage. • Tries to enumerate other IAM roles and policies. • Connects to malicious domains from inside EC2. The AWS bill is exploding Scenario 2: The GitHub Oops and the Stolen AWS Keys
• Recon:IAMUser/NetworkPermissions – trying to understand the network layout • Impact:CredentialExfiltration – usage of IAM keys from unusual geolocations • Recon:IAMUser/MaliciousIPCaller – known bad IPs contacting the account Scenario 2: The GitHub Oops and the Stolen AWS Keys
learning project for traffic prediction. • Zehra, his classmate who helps with datasets and reports. • BucketCrawler, a data-harvesting bot that scans the internet for public S3 buckets. • Amazon GuardDuty, the hero of the cloud. Scenario 3: The Curious Case of the Public S3 Bucket
an S3 bucket and shares access with Zehra. • While trying to quickly debug permissions, he sets the bucket policy to public read/write and forgets to change it back. The bucket now: • Has open access to the internet • Contains research data + internal reports • Is indexed by search engines Scenario 3: The Curious Case of the Public S3 Bucket
S3 bucket and: • Downloads multiple files, including research PDFs and CSVs • Uploads a malicious file to the bucket (evil.js) • Accesses the bucket from an unusual country Scenario 3: The Curious Case of the Public S3 Bucket
Policy:S3/BucketPublicAccess – a bucket was made public • Recon:S3/ListBuckets – scanning activity detected • UnauthorizedAccess:S3/TorIPCaller – bucket accessed by an IP in the TOR network • Impact:S3ObjectWrite.B – unknown object written to a bucket Scenario 3: The Curious Case of the Public S3 Bucket
senayakut
lauravandoore
aleyda
jacobtomlinson
pauljervisheath
csswizardry
jakevdp
kastner
signer
aarron
notwaldorf
michielstock
takai
