Then I mapped CloudTrail logs using an external table.
Why?

Because Athena doesn’t store data — it reads directly from S3.
That’s serverless analytics done right.

Security insight:
Not all threats are loud.
Some are slow, quiet, and repetitive.
That’s why I grouped activity by IP:
SQL
SELECT sourceIPAddress, COUNT(*)
FROM cloudtrail_logs
GROUP BY sourceIPAddress

you're serious about cloud security:
Build projects.

Not just certifications.

Because in interviews, nobody cares what you know…
They care what you’ve done.

This project is free-tier friendly.
No excuse.

You can build real cloud security experience without spending money.

One mistake I hit hard:

Queries failing after first run.
Root cause?
No query result location set in S3.
Always configure this first.

Athena is underrated.
You can literally run SQL on terabytes of logs without managing infrastructure.
That’s insane leverage.

How is cloud job market

True

Most people think insider threats = hackers.

Wrong.

The biggest risk is often someone already inside your system.

If you're not logging activity in your cloud environment, you're blind.

I used AWS CloudTrail to capture every API call made in my environment.

Every login. Every action. Every mistake.

Cloud security isn’t just about prevention.
It’s about visibility.

Logs = truth.

That’s why I stored all CloudTrail logs in Amazon S3 for analysis.

Here’s where it gets interesting

Raw logs are useless if you can’t query them.

So I used Amazon Athena to run SQL queries directly on S3.

No servers. No setup. Just data → insights.

created a database in Athena with ONE command:
SQL
CREATE DATABASE insider_threat_logs;
Simple step.

Massive impact.

What is privilege creep, and how does it happen in enterprise environments?

Why can an EC2 instance in a public subnet still be unreachable from the internet?

Beginner mistake:

Setting up cloud resources without monitoring.

It’s like locking your door but refusing to install cameras.

Security ≠ prevention only.
Security = detection + response.

My setup only alerts on severity ≥ 5.

Why?

Because:
Low severity = noise

Medium/High = action

Security is about prioritization.

Here’s a mindset shift:

Manual response = minutes
Automated response = seconds

Attackers don’t wait.

Why should your defenses?

CLOUD KNOWLEDGE CHECKPOINT

What is Elastic Load Balancing, and what problem does it solve?

Describe the flow of SSO authentication when accessing AWS through an IdP.

I built a simple AWS threat detection system and here’s the truth:

You don’t need expensive tools to start securing the cloud.

You need:

GuardDuty (detection)
CloudWatch (monitoring)
SNS (alerts)
Lambda (automation)

That’s it.

Not all alerts matter.

That’s why filtering by severity is critical.
If you alert on everything → you’ll ignore everything.

Focus on:

Medium (suspicious)
High (dangerous)
Signal > noise.

Think of Lambda as your incident response engine.

It reacts instantly to events like:

Compromised EC2
Suspicious API calls
Unauthorized access

Speed is everything in security.

Real-world mindset:

A threat is detected → what happens next?
If your answer is “I’ll check it later”…
You already lost.

Automation is not optional in cloud security.

Cloud security is not about tools.

It’s about designing systems that react to threats automatically.

Tools are just building blocks.

Architecture is everything.

The biggest upgrade in your security journey will be this:

Stop thinking like a builder.
Start thinking like an attacker.

Ask yourself: “How would I break this system?”

Then defend it.

One underrated skill in cloud security:

Event-driven thinking.
“When X happens → trigger Y”

That’s how you build scalable, automated security systems.

GuardDuty is basically your cloud security analyst that never sleeps.

It analyzes:

VPC Flow Logs
DNS logs
CloudTrail
And tells you: “Something is wrong here.”

Most people think cloud security starts with firewalls.

It doesn’t.
It starts with visibility.
If you can’t see what’s happening in your cloud, you can’t secure it.

That’s where GuardDuty comes in.

SNS is simple, but powerful.

It turns detection into actionable awareness.

Without alerts, your detection system is useless.
If no one knows → no one responds.