AWS Security Logging

Amazon Web Services (AWS) is one of the most used IaaS cloud providers, and many companies worldwide, including TryHackMe, heavily use its compute, storage, databases, networking, and ML services. This room explains the tools to monitor the AWS cloud environment for threats and provides best practices on auditing AWS activities in SIEM by the SOC.

Tip: It is a good idea to create your own AWS account and test each service as you go through the tasks. While this room focuses on the SIEM perspective, seeing how things appear in the AWS console will help you better understand the material. AWS has a free tier that you can try by following the link (opens in new tab). Just be mindful of the costs going beyond the free tier.

Learning Objectives

• Explore control plane, managed services, and workload security
• Practice using CloudTrail and GuardDuty for threat detection
• Learn about cloud log sources, such as CloudFront and S3 logs
• Gain a broad overview of how to log and monitor AWS as a SOC

Prerequisites

• Complete the Cloud Security Pitfalls room
• Complete the Splunk: The Basics room
• Preferably, complete the Introduction to AWS module
• Preferably, complete the SOC Level 1 Analyst path

Lab Access

Start the lab by clicking the Start Machine button below. You will then have access to the Splunk Web Interface. Please wait 4-5 minutes for the Splunk instance to launch. To access Splunk, follow this link:

• https://LAB_WEB_URL.p.thmlabs.com (opens in new tab)

Set up your virtual environment

To successfully complete this room, you'll need to set up your virtual environment. This involves starting the Target Machine, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.

Target machine

Status:Off

Start Machine