🛡️ AEGIS-FLOW SOC

1. Identity & Access Management (The "Inside Man")

• Over-Privileged User: It takes an existing IAM user (dev-user-01) and attaches the AdministratorAccess policy. This violates the principle of least privilege.
• Credential Generation: It generates programmatic Access Keys for this user. These keys are then "leaked" into the script below to perform unauthorized actions.

2. Networking (The "Open Door")

• Insecure VPC: It creates a VPC named aegis-public-vpc-no-logs. The name is literal—it lacks VPC Flow Logs, meaning there is no record of network traffic entering or leaving the environment.
• Public Exposure: It sets up an Internet Gateway and a subnet that automatically assigns public IP addresses to any instance launched within it.

3. Storage (The "Data Leak")

• Public S3 Bucket: It creates an S3 bucket and explicitly disables all "Public Access Block" settings. This makes the bucket capable of hosting data accessible to anyone on the internet.

4. Compute (The "Weak Target")

• Vulnerable EC2: It launches a Linux server (T3.micro) that is unencrypted and sits in a public subnet.
• Security Group: It creates a Security Group that allows all outbound traffic, leaving the inbound "front door" for the script to manipulate.

5. The "Crime Spree" (The Simulation)

The null_resource block is the most unique part of this code. Once the infrastructure is ready, it runs a local script using the dev-user-01 credentials to simulate a malicious insider:

• Rogue Storage: It creates a second S3 bucket (aegis-rogue-bucket-static-demo) outside of Terraform's direct management.
• Network Breach: It opens port 22 (SSH) to the entire world (0.0.0.0/0).
• Metadata Downgrade: It forces the EC2 instance to use IMDSv1. This is a major security risk that allows for potential "Server-Side Request Forgery" (SSRF) attacks to steal the instance's identity.