AWS Cloud SOC Analysis: Investigating Real-World Scenarios
The modern hack doesn’t look like a scene from Mr. Robot. There is no hooded figure frantically typing code to bypass a firewall. In 2026…
The modern hack doesn’t look like a scene from Mr. Robot. There is no hooded figure frantically typing code to bypass a firewall. In 2026, the attacker simply logs in.
If you are working in a Security Operations Center (SOC) today, you are likely witnessing a massive shift. The battleground has moved from the on-premise server room to the nebulous expanse of the Cloud.
And if you are still relying on your old playbook , blocking IPs and scanning for malware hashes , you are fighting a war that ended five years ago.
I recently dove deep into a hands-on investigation of AWS attacks, and the results were a wake-up call for anyone in InfoSec.
Here is what a real-world cloud breach looks like, and why your ability to read JSON is now more important than your ability to configure a firewall.
Investigating Compromised IAM
In the cloud, every action is an API call. A hack is often just a series of administrative commands run by a compromised identity. Let’s look at two scenarios that terrified me not because they were complex, but because they were so simple.
Imagine getting an alert that your company’s backup data is gone. You rush to the logs. What are you looking for?
In a traditional environment, you’d look for a suspicious process. In AWS, you look for CloudTrail logs.
In this scenario, we tracked a compromised user let’s call them “S3 User.” They didn’t deploy a virus. They simply ran standard AWS CLI commands:
Recon
They ran ListBuckets and GetBucketEncryption to find the most valuable, unencrypted data.
The Pivot
They focused on a bucket named web-dev-backup.
The Attack
They used GetObject to download your sensitive CSVs (exfiltration) and PutObject to upload a file named ransom-note.txt.
The attacker used the exact same tools your developers use every day. The only difference was the intent.
If you aren’t monitoring for abnormal API sequences (like a sudden spike in GetObject calls from a user who usually only uploads), you will miss this entirely.
Case Study 2: Hunting with Splunk
The second scenario was even more insidious. It started with a brute-force attack against a user named helpdesk-luke.
Using Splunk, we didn’t just look for failed logins; we looked for what happened after the success.
Once the attacker compromised Luke’s account, they didn’t deface the website. They established Persistence.
They executed CreateUser to generate a new account: marketing-mark.
They immediately ran AddUserToGroup to place "Mark" into the Admins group.
The Evasion
Finally, they ran DeleteBucketPublicAccessBlock.
Suddenly, a Marketing user has admin rights and has just exposed your private storage to the public internet, likely to host a phishing site. To a casual observer, marketing-mark looks like a legitimate new hire.
To a skilled Cloud SOC analyst, the correlation between helpdesk-luke creating a user and that user immediately becoming an Admin is a flashing red light.
The 3 Hard Truths for the Modern Analyst
If you want to survive in the era of Cloud SOC, you need to accept three new realities:
1. Identity is the Perimeter
In AWS, IP addresses are ephemeral. Attackers spin up EC2 instances or use proxies. Blocking an IP is like playing Whac-A-Mole. The only constant is the IAM Identity (User/Role). Your investigation must center on who is acting, not where they are coming from.
2. Context is King
A CreateUser event is boring. A CreateUser event at 3:00 AM by a Help Desk intern who has never created a user before? That is an incident. You cannot analyze logs in a vacuum; you must understand the baseline behavior of your identities.
3. JSON is a Survival Skill
Whether you are using jq in the terminal or parsing fields in Splunk, you need to be fluent in JSON. It is the language of the cloud. If you can't quickly parse a massive CloudTrail event to find the requestParameters, you are blind.
Final Thoughts
The adversary has upgraded their toolkit. They are living off the land, using your own cloud infrastructure against you. If you are still comfortable monitoring on-premise firewalls, you are protecting an empty castle.
It’s time to get uncomfortable. It’s time to learn the cloud.
Full Version of AWS SOC Analyst Course
Full version of this course can be found here.
