Thanks to visit codestin.com
Credit goes to GitHub.com

Skip to content
/ healthcare-cloud-security-lab Public

AWS cloud security lab demonstrating VPC Flow Logs, CloudTrail, and network hardening

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ThomasG784098/healthcare-cloud-security-lab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
docs
docs
 
 
evidence
evidence
 
 
README.md
README.md
 
 
Reflection.md
Reflection.md
 
 

Repository files navigation

Healthcare Cloud Security Monitoring Lab

This project simulates a small healthcare related cloud environment to demonstrate foundational cloud security, logging, and threat detection concepts. The focus is on visibility and detection rather than exploitation, aligned with enterprise healthcare security practices.

The environment consists of an Ubuntu Server EC2 instance hosted in AWS, a simulated S3 bucket containing non sensitive placeholder data, and centralized logging using AWS CloudTrail and CloudWatch. A Kali Linux virtual machine is used to generate controlled security events.

Environment

  • Cloud Platform: AWS
  • Server OS: Ubuntu Server LTS (EC2)
  • Attacker/Test OS: Kali Linux
  • Logging: AWS CloudTrail, CloudWatch Logs, VPC Flow Logs

Architecture

The following diagram shows the overall architecture of the environment, including traffic flow, logging, and monitoring components.

Architecture Diagram

Security Controls Implemented

  • IAM least-privilege roles and policies
  • Restricted security group rules (SSH limited to administrator IP)
  • CloudTrail enabled for management and data events
  • Centralized log visibility via CloudWatch

Security group configuration:

Security Group Rules

Simulated Threat Scenarios

  • Network reconnaissance using Nmap
  • Failed SSH authentication attempts
  • Unauthorized S3 access attempts

Detection & Logging

Each simulated event was analyzed to identify where it appeared in AWS logs and how it could be detected in a real SOC environment.

CloudTrail was configured to forward API activity into CloudWatch Logs for centralized visibility:

CloudTrail Settings

VPC Flow Logs were enabled at the VPC level to capture accepted and rejected network traffic:

VPC Flow Log Settings

Security Monitoring Validation

Simulated network reconnaissance was performed using Nmap against the EC2 public IP. The scan results show all tested ports in a filtered state, indicating effective network level restrictions.

Nmap Scan Output

VPC Flow Logs captured both accepted and rejected traffic and forwarded events to Amazon CloudWatch Logs. Rejected inbound connections were successfully logged, demonstrating effective security group enforcement and monitoring visibility.

Accepted traffic example:

Flow Logs Accept

Rejected traffic example:

Flow Logs Reject

How to Reproduce

  1. Launch an EC2 instance with a restricted security group (SSH limited to admin IP).
  2. Enable AWS CloudTrail and forward logs to CloudWatch Logs.
  3. Enable VPC Flow Logs (ALL traffic) and send to CloudWatch Logs.
  4. Perform network scanning using: nmap -Pn -p 22,80,443 <EC2_PUBLIC_IPv4ADDR>
  5. Observe ACCEPT and REJECT logs in Cloudwatch.

About

AWS cloud security lab demonstrating VPC Flow Logs, CloudTrail, and network hardening

Topics

aws cloudwatch soc cloudtrail network-security cloud-security blue-team vpc-flow-logs

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors