CloudTrail Drift: Shadow Admin Keys

Description

Participants review a staged AWS-style control plane narrative where administrative keys resurface after a policy change. The lab rewards careful reading of change records, highlights common analyst traps around API call bursts, and reinforces how to document assumptions when external reviewers later read the case file.

Features

• Partitioned log slices with redacted account metadata
• Role assumption graph with annotated dead ends
• Checklist for separating break-glass from abuse
• Cloud cost ops sidebar to spot anomalous usage jumps
• Cross-org workflow handoff sheet for platform owners
• Optional tabletop prompts for leadership briefings
• Quality standards checklist for evidence screenshots

Outcomes

• Draft a hunting hypothesis that names disprovable signals
• Communicate cloud control impact in plain language
• Capture a defensible rollback recommendation