AWS Enumeration for Purple Teams
2025-09-05 , Workshops 2

Designed for both Blue and Red teams, this hands-on workshop is designed to equip participants with a deep dive into AWS enumeration techniques and detection opportunities. Through guided labs, attendees will learn how attackers can use policy misconfigurations to identify paths to their objectives. For defenders, we will discuss real-world detection opportunities, log sources, and effective monitoring strategies to identify suspicious enumeration activity before it escalates into full-blown compromise.

Along the way we introduce dAWShund, a new tool designed to map and visualize AWS resource relationships, helping Red Teams identify attack paths and Blue Teams strengthen defenses to help put a leash on naughty permissions. The idea is to hold an interactive workshop fostering and encouraging discussions among participants.

By the end of the workshop, attendees would be able:
- Understand the differences between AWS resources and policy types. (TL;DR it’s a hot mess)
- Get a grasp of permissions validation (A bigger hot mess)
- Spot detection opportunities for enumeration (We' ll use Sentinel and KQL)
- Discuss areas of improvement for the future

Technical requirements for the audience:
- Don't forget to bring your own laptop
- Basic knowledge of AWS; although all terminology will be explained.


Workshop instructions
It is suggested to download the following packages and tools before the workshop:
Simulating the attacks:
For Debian-based distos (you can alternatively use Windows but please ensure to follow the applicable instructions)

apt install python3 aws-cli neo4j python3-neo4j ​
pip3 install boto3 ​

Enumeration tools to be used in the workshop:
- dAWShund
- IAM APE

Access to Attack and Defense lab
To keep things in order, each participant will receive unique credentials to access the attack lab (AWS) and the detection platform (Sentinel)

I’ve always admired those that said “You will not have to work for the rest of your life if you make money from your hobby”. Especially if it meant a true “impact that matters” for people and networks, so my goal was to become one of the best incident responders out there. While it was fun to study and play with my friends in “Aggressive Cake” (a fitting name for a CTF team) in an effort to break into the cybersecurity industry, it soon became apparent that reality is far from the innocent dream of doing what you love.

4 years forward, and really started wondering, if it would be better to become a fisherman. After all, the sea tides are less harsh than the life of a responder. Working overtimes to get the thrill of catching the bad guys was not worthy. Sometimes I pray that AI takes this job (and auditing) away. Thankfully my remaining soul shards and weekends were saved by switching to purple teaming. I now craft detections and research cloud security within FalconForce. I like petting stray dogs and watching sunsets.