As cloud environments continue to evolve, organizations have gradually refined how they approach the management and protection of their infrastructure. The complexity inherent to cloud-native platforms, along with the intricacies of security configurations, makes cloud security a domain that demands constant attention, expertise, and adaptation. Keeping pace with changes and making deliberate use of emerging tools and patterns is essential to reducing risk and strengthening cloud resilience.

At AttackIQ, we’ve updated and expanded two of our AWS-focused security assessments to better align with the latest threats, AWS service capabilities, and customer priorities. These enhancements empower security teams to validate their cloud defenses against real-world attack techniques in safe, controlled way, so that they can confidently identify gaps before adversaries do.

With the new scenarios and updated assessments, customers can:

• Test and validate the effectiveness of their AWS security controls with greater accuracy
• Gain actionable insights into misconfigurations and blind spots specific to their environment
• Continuously improve their detection and response strategies to match the pace of cloud innovation and attacker tactics and techniques

By keeping your cloud assessments aligned with today’s risks, AttackIQ helps you move from a reactive to proactive posture, building stronger, more resilient cloud defenses that protect your business outcomes.

AWS CloudTrail Health Check

This assessment performs a basic health check of AWS CloudTrail by listing configured trails and testing whether the APIs can be executed. It helps identify potential misconfigurations or excessive permissions that could allow adversaries to disable logging. We added a new scenario that complements the existing attack emulations against the configuration of this service:

Enumerate AWS CloudTrail trails (T1526, T1654): This scenario uses DescribeTrails API call from CloudTrail to emulate the enumeration of available configurations, a common preparatory step observed before attempting direct attacks on the service.

AWS Deployment Health Check

This assessment is a great option for those seeking greater visibility into the security controls applied across various AWS cloud resources. We have expanded the scope of the assessment to cover a wider range of techniques. Below is a detailed description of all newly incorporated behaviors included in the updated template, organized by tactic.

Defense Evasion

Consists of techniques adversaries use to evade detection and impede forensic analysis during an intrusion.

Modify AWS Config Retention Period (T1562.008): This scenario uses the PutRetentionConfiguration API call from AWS Config to verify whether the calling identity has permission to modify the retention period of configuration items.

Modify AWS Lambda Function Environment Variable (T1578): This scenario uses the UpdateFunctionConfiguration API call from AWS Lambda to modify a function’s environment variables, emulating an adversary altering configuration to bypass restrictions or evade detection.

Modify AWS Lambda Function IAM Role (T1578): The same UpdateFunctionConfiguration API call from AWS Lambda to emulate an adversary changing the execution role associated with a function, thereby indirectly gaining permissions to perform actions that would otherwise be denied.

Stop CloudTrail Logging (T1562.008): This scenario uses the StopLogging API call from CloudTrail to disable logging for a specified CloudTrail trail, testing defenses against actions that could suppress audit logs and help an attacker cover their tracks.

Credential Access

Consists of techniques used by adversaries to harvest credentials present within a compromised environment.

Enumerate AWS Lambda Function Environment Variables (T1580): This scenario uses the GetFunctionConfiguration API call from AWS Lambda to enumerate environment variables across Lambda functions, providing insight into application internals and identifying potentially sensitive data.

Discovery

Consists of techniques that adversaries use to discover information related to the compromised environment.

Enumerate AWS CloudTrail trails (T1526, T1654): This same scenario has also been included in this assessment template to provide visibility into the configurations of this resource.

Enumerate AWS Config Recorders (T1580, T1654): This scenario uses the DescribeConfigurationRecorders API call from the AWS Config service to enumerate configuration recorders, providing valuable information about these resources.

Enumerate AWS Config Rules (T1580, T1654): This scenario uses the DescribeConfigRules API call from AWS Config to enumerate all active Config rules in a given AWS region, providing insight into the environment’s security posture.

Enumerate AWS Lambda Functions (T1526): This scenario uses the ListFunctions API call from the AWS Lambda service, providing greater visibility into one of the most widely used resources in AWS.

Enumerate AWS Lambda Function URL Config (T1580): This scenario uses the ListFunctionUrlConfigs API call from the AWS Lambda service to enumerate all configured function URLs, mapping exposed endpoints to better understand the application’s external footprint.

Wrap-up

In summary, these updated assessments can help your company gain a clearer understanding of its security posture in AWS environments. Continuous threat emulation is essential to identify potential gaps and ensure that security controls are effectively detecting and responding to malicious activity. Our platform enables you to automate these emulations, streamlining the process of testing and validating your defenses on an ongoing basis.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.