TryHackMe Monitoring AWS Logins | Splunk | Full Walkthrough 2026

Описание: 🧭 Explore AWS authentication, common IAM threats, and SIEM detection options.

🏷️🏷️ Room Link: https://tryhackme.com/room/monitoring...

🦮🦮 We will use Splunk for logs investigation

Monitoring the control plane is the first step in securing your cloud environment. And within the control plane, authentication is the first area to focus on: who is logging in to AWS, from where, and which credentials they are using. This room walks you through the most common attacks against AWS identities and the defenses used to protect them.

🦮 Learning Objectives 🦮

🍐 Understand the concept of IAM, access keys, roles, and policies
🍐 Learn how CloudTrail logs different methods of logins in AWS
🍐 Explore real-world cloud breaches and learn how to avoid them
🍐 Practice the acquired knowledge in a series of mini-challenges

🦮 Timestamps: 🦮

[00:00:00] Task 1: Introduction
[00:02:57] Task 2: IAM and User Credentials
[00:07:49] Task 3: Monitoring Console Logins
[00:16:35] Task 4: Monitoring Access Keys
[00:34:19] Task 5: Detecting IAM Role Abuse
[00:43:46] Task 6: Detecting IAM Changes
[00:49:16] Task 7: Conclusion

🦮 Room Tasks: 🦮

🌧️ Task 1: Introduction

🐧 Task 2: IAM and User Credentials
What type of credential is used to access AWS resources via CLI/SDK?
Which IAM identity type allows you to gain AWS permissions temporarily?

🤖 Task 3: Monitoring Console Logins
How many times did Thomas fail to log in to the AWS console?
Which other user logged in to the AWS console without MFA?

🐈 Task 4: Monitoring Access Keys
What access key ID of Michael was used in the attack?
What is the name of the S3 bucket accessed by the attackers?
How many files were exfiltrated and deleted by the adversary?
Which file was uploaded to the bucket at the end of the attack?
Which AWS service was used most by the user who did not use access keys?

🐶 Task 5: Detecting IAM Role Abuse
Which EC2 instance ID used the UserAvatarsProcessor role?
Someone assumed the EU-RemoteSupport IAM role. How did they name the role session?
Which user assumed the IAM role from the question above?

🚨 Task 6: Detecting IAM Changes
Under which ARN does the Splunk integration authenticate? SOC Note: This is an exceptionally insecure configuration!
When was the over-privileged integration access key created?

🐆 Task 7: Conclusion

⚠️ Educational Purpose Only
This content is for educational and authorized penetration testing purposes only. Always ensure you have permission before testing on any systems.

Don't forget to 👍 LIKE and 🔔 SUBSCRIBE for more cybersecurity tutorials!

#tryhackme #splunk