Leonidas

Leonidas is designed for simulating and detecting attacker actions in cloud environments, particularly within AWS. This framework uses a YAML-based format to define cloud attacker tactics, techniques, and procedures (TTPs), along with their associated detection properties.

Technically, Leonidas compiles these YAML definitions into several usable formats, including a web API, Sigma rules for detection, and detailed documentation. The API is deployed using an AWS-native CI/CD pipeline, ensuring integration with AWS services. The API endpoints are secured with API keys, which must be included in the x-api-key header of any requests made to the API.

Operationally, Leonidas allows for the execution of test cases via POST requests to the API, with options to run these tests under different identities using role assumption or AWS access keys. This flexibility is crucial for simulating various attack scenarios. The framework also supports region-specific test case execution, allowing tests to be run in different AWS regions as needed.

Key technical details include the use of executors such as leonidas_aws to define how test cases are executed, and the generation of Sigma rules and documentation using Python scripts managed by Poetry. For example, the generator.py script can produce Sigma rules and markdown documentation, which can then be converted into HTML for easier consumption.

However, there are operational considerations and limitations. For instance, the current implementation is primarily focused on AWS, with limited support for other cloud providers like Azure, which is an area for future development. Additionally, managing and updating the YAML definitions and associated permissions can become complex, especially in large-scale deployments. Despite these challenges, Leonidas provides a robust framework for enhancing cloud security through automated attack simulation and detection.