Automated Defence using Cloud Services for AWS, Azure & GCP


Monitoring for attacks and defending against them in real-time is crucial. Defending our cloud infrastructure during attacks can prove to nightmare even with the currently available solutions in the market. We live in cloud first era where the cloud is our first choice of deployment due to the convenience and scalability. In this workshop, we will learn how to defend our cloud infrastructure using Serverless and Elastic Stack. Elastic Stack will collect, analyse logs and triggers alerts based on configured rule-set. Serverless stack drives the defence to perform automated blocking. It will be configured based on the use case and type of attacks. The currently solution works on AWS, Azure and GCP. It can be extended for other providers and custom solutions like in house firewalls, IPS, etc.

Thursday, 07 Feb 2019 00:00 UTC
Taj Yeshwantpur, Bengaluru


Some of the real-world scenarios we will be covering during the workshop includes

  • SSH Brute-force detection & defence
  • Content Management System Audit analysis (Azure)
  • AWS IAM CloudTrail logs to detect and defend against backdoors (AWS)
  • Container logs to defend Kubernetes security attacks(GCP)

High Level Overview

  • Environment setup using automated playbook
  • Cloud providers accounts configuration
  • Setting up hardened Elastic Stack using Ansible playbooks and Terraform
  • Configuring cloud infrastructure to send logs to centralized monitoring system
  • Attack patterns analysis and detection
  • Building attack monitoring dashboards
  • Setting up near real-time alerts (slack, email, etc.)
  • SSH brute-force attack against infrastructure
  • Building security dashboards for analysis
  • Detecting the attack and applying real-time defence
  • CMS application service attack simulation
  • Attack audit analysis using security dashboards
  • Deploying the automated defence
  • Setting up monitoring system AWS CloudWatch and AWS CloudTrail logs
  • Abusing metadata and gaining access to compromised AWS IAM keys for users and roles
  • Identifying compromised IAM keys usage using AWS CloudTrail logs
  • Defending against IAM compromised keys using Serverless (AWS Lambda)
  • Setting up automated Kubernetes infrastructure with services
  • Monitoring Kubernetes security events for attacks
  • Attacking containerized applications in Kubernetes
  • Near real-time automated defence against Docker container security attacks


  • Most of the workshop will be covered using demonstrations and discussions around the scenarios
  • Laptop with browser and wireless connectivity would be useful
  • Keep a hotspot handy for internet access (if required)
Madhu Akula
Madhu Akula
Never Ending Learner!

Madhu Akula is a pragmatic security leader and creator of Kubernetes Goat, an intentionally vulnerable by design Kubernetes Cluster to learn and practice Kubernetes Security. Also published author and cloud native security researcher with an extensive experience. Also he is an active member of the international security, devops and cloud native communities (null, DevSecOps, AllDayDevOps, AWS, CNCF, USENIX, OWASP, etc). Holds industry certifications like OSCP (Offensive Security Certified Professional), CKA (Certified Kubernetes Administrator), CKS (Certified Kubernetes Security Specialist), etc. Madhu frequently speaks and runs training sessions at security events and conferences around the world including DEFCON (24, 26, 27, 28, 29, 30), BlackHat (2018, 19, 21, 22 & 23), USENIX LISA (2018, 19 & 21), SANS Cloud Security Summit 2021 & 2022, O’Reilly Velocity EU 2019, GitHub Satellite 2020, Appsec EU (2018, 19, 22), All Day DevOps (2016, 17, 18, 19, 20, 21 & 22), DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n(2017, 18 & 20), Nullcon (2018, 19, 21 & 22), SACON 2019, Serverless Summit, null and multiple others. His research has identified vulnerabilities in over 200+ companies and organisations including; Google, Microsoft, LinkedIn, eBay, AT&T, WordPress, NTOP and Adobe, etc and credited with multiple CVE’s, Acknowledgements and rewards. He is co-author of Security Automation with Ansible2 (ISBN-13: 978-1788394512), which is listed as a technical resource by Red Hat Ansible. He is the technical reviewer for Learn Kubernetes Security, Practical Ansible2 books by Packt Pub. Also won 1st prize for building Infrastructure Security Monitoring solution at InMobi flagship hackathon among 100+ engineering teams.