AWS Security Hub & GuardDuty Lab
A hands-on lab demonstrating the full incident response lifecycle in AWS. This project showcases the use of native AWS tools to detect, analyze, and remediate a potential account compromise (GuardDuty) and a critical data exposure risk (public S3 bucket).
Objective
This project demonstrates the hands-on ability to use native AWS security services to detect, analyze, and remediate both a potential account compromise and a critical data exposure risk, providing a comprehensive overview of a cloud security analyst’s workflow.
Tools & Technologies Used
- AWS Security Hub: For centralizing, managing, and analyzing security findings.
- Amazon GuardDuty: For intelligent, behavior-based threat detection.
- Amazon S3: Used to create and remediate a common storage misconfiguration.
- AWS IAM: For implementing identity and access management best practices.
- Markdown: For creating the final project report.
Project Walkthrough
This lab simulates a real-world security scenario. First, an active threat is detected via a potential credential compromise. Second, a static infrastructure misconfiguration is identified. The project follows the full lifecycle: introducing vulnerabilities, detecting them with AWS tools, analyzing the risk, and performing remediation.
Phase 1: Setup & Baseline
The initial phase involved enabling and configuring core AWS security services to establish a monitoring baseline. AWS Security Hub was enabled to centralize security findings, and Amazon GuardDuty was activated for intelligent threat detection.
Phase 2: Introducing Vulnerabilities
This phase involved the introduction of both a behavioral threat and a common infrastructure misconfiguration.
- (Unintentional) Behavioral Threat: A login to the AWS Root User account was performed from an IP address associated with a known VPN service, simulating a potential credential compromise.
- Infrastructure Misconfiguration: An Amazon S3 bucket was configured for public access by disabling the “Block Public Access” setting and applying a public-read bucket policy.
Phase 3: Detection & Analysis
This phase covers the detection and analysis of the findings using AWS GuardDuty and Security Hub.
Finding 1: Potential Root Credential Compromise (CRITICAL) Amazon GuardDuty generated a critical alert after detecting anomalous activity associated with the account’s root user.

- Analysis: This is the most severe type of alert, as a compromise of the root user gives an attacker unrestricted access to the entire AWS account. The finding was triggered by a login from an IP address associated with a VPN, which GuardDuty’s behavioral analysis correctly identified as a tactic used by attackers to obscure their location. The finding cited several MITRE ATT&CK techniques, including
T1078.004 - Valid Accounts: Cloud Accounts, indicating a potential attacker was using legitimate (stolen) credentials for initial access.
Finding 2: Public S3 Bucket Detected (CRITICAL) A CRITICAL severity finding was generated by Security Hub after the public-read bucket policy was applied.

- Analysis: This finding indicates a severe data exposure risk, as any data placed in this bucket would be readable by anyone on the internet, potentially leading to a data breach.
Phase 4: Remediation & Verification
The final phase involved correcting the misconfiguration and implementing security best practices to mitigate the identified risks.
Root Credential Compromise Remediation:
- Investigation: The alert was investigated and confirmed to be a false positive resulting from an accidental administrative login from a VPN.
- Best Practice Implementation: To align with AWS security best practices, the following actions were taken:
- The root user will no longer be used for any daily administrative or lab tasks.
- A dedicated IAM user (
ej-admin) with administrative privileges has been created for all future work. - Multi-Factor Authentication (MFA) has been enforced on both the root account and the new IAM admin user.
S3 Bucket Remediation: The public-read bucket policy was removed, and the “Block Public Access” setting was re-enabled at the bucket level. The finding was confirmed as “Resolved” in Security Hub.

Conclusion & Key Learnings
This project provided practical experience in the full detect-analyze-remediate lifecycle using native AWS security tools. Key learnings include:
- The importance of behavioral threat detection (GuardDuty) in identifying potential account compromises, not just static misconfigurations.
- The critical need to adhere to IAM best practices, especially by avoiding the use of the root user and enforcing MFA.
- The process of analyzing and remediating a critical data exposure risk (public S3 bucket) to protect sensitive information.