A terminal-based presentation on cloud red teaming, covering 4 real-world attack stories from AWS engagements with live demos, prescriptions, and a Monday morning checklist.
Presented by Bailey Belisario (@BBelisario20) at DakotaCon 2026.
This presentation is built for Ostendo, a terminal presentation tool.
- Kitty terminal (recommended for images, font sizing, and animations)
- Rust toolchain (to build Ostendo)
git clone https://github.com/ZoneMix/ostendo.git
cd ostendo
cargo build --release# From the ostendo directory:
./target/release/ostendo /path/to/dakotacon-2026/presentation.md
# Or with Kitty for best experience:
kitty -o allow_remote_control=yes -o font_size=24 --start-as=maximized \
./target/release/ostendo /path/to/dakotacon-2026/presentation.md| Key | Action |
|---|---|
| Right / Space / Enter | Next slide |
| Left / Backspace | Previous slide |
g + number + Enter |
Jump to slide |
j / k |
Scroll down / up |
] / [ |
Increase / decrease font |
Ctrl+E |
Execute code block |
h |
Help overlay |
q |
Quit |
The demos/ directory contains bash scripts for live AWS demos. These require:
- An AWS account with the demo infrastructure deployed
- AWS CLI profiles configured
- The demo scripts reference placeholder values (
<YOUR_PATH>,<YOUR_PROFILE>) that must be replaced with your environment details
The demos are designed for simulation mode by default. To run live, create a .demo_mode file:
echo "live" > demos/.demo_modepresentation.md # The full slide deck (66 slides)
demos/ # Live demo bash scripts
demo_runner.sh # Shared utility functions
demo_config.sh # Timing configuration
story1_*.sh # Story 1: Broken Deny Policy
story2_*.sh # Story 2: IMDS + Cross-Account Chain
story3_*.sh # Story 3: ECS Runner Exploit
story4_*.sh # Story 4: Detection & Response
assets/ # Images used in the presentation
-
Patient Denial -- A deny policy using an unsupported condition key (
aws:ResourceTagfor S3) silently fails, giving full S3 access to terraform state files containing credentials. -
Patient Trust Issues -- IMDS credential theft from an EKS node, followed by cross-account role chaining without ExternalId, reaching production admin.
-
Patient Enablement -- An ECS Fargate GitLab runner with AdministratorAccess to production, exploited via K8s service account impersonation and a malicious pipeline that dumps
/proc/self/environ. -
Patient Selective Hearing -- Detection that partially worked but failed to follow through. The blue team caught the symptom (abnormal login), removed it, but never investigated the root cause.
PREVENT:
- Run IAM Access Analyzer
- Enforce IMDSv2 everywhere
- Add ExternalId to ALL trust policies
- Scope IRSA to specific service accounts
- Encrypt and isolate tfstate
- Scope CI/CD runners to specific projects
DETECT + RESPOND: 7. Wire GuardDuty -> SNS -> your team 8. Write incident runbooks (before the alert fires) 9. Rotate all keys > 90 days 10. Enable AMSI on Windows 11. Separate prod, staging, and dev accounts 12. Build CloudTrail Insights queries
- Website: zonemix.tech
- GitHub: ZoneMix
- Neuvik: neuvik.com
GPL-3.0 -- see LICENSE.