Assumed Role.

{
  "eventTime": "2025-03-13T06:11:43Z",
  "eventSource": "cloudtrail.amazonaws.com",
  "eventName": "StopLogging",
  "sourceIPAddress": "98.47.216.103",
  "userIdentity": {
    "type": "IAMUser",
    "arn": "arn:aws:iam::487291035561:user/svc-payment-processor",
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "accountId": "487291035561"
  },
  "requestParameters": {
    "name": "arn:aws:cloudtrail:us-east-1:487291035561:trail/meridian-org-trail"
  },
  "responseElements": null
}

The premise

2:14 AM. Thursday. Maya is the security team at Meridian Financial — all 45 AWS accounts of it. Her phone buzzes: #security-alerts — a channel with exactly one subscriber.

Someone just disabled CloudTrail in the production payments account. The account that processes credit card transactions. The source IP is a residential ISP address. It's not a misconfiguration. It's a recon pattern.

Over the next thirty-two hours, Maya traces a stolen service-account key across four AWS accounts, revokes it, falls for a security-group decoy, discovers the real payload (S3 replication to an external bucket) two hours after it started flowing, finds the backdoor IAM user VEGA created three days before anyone knew he was there, and deploys the session-token-blocking SCP her VP has been pushing to "next quarter" for six months.

She also hires her second engineer.

• 01 The Quiet Alert DETECT cloudtrail:StopLogging 02:11 EDT
• 02 The Way In INVESTIGATE iam:CreateAccessKey 2024-09-15
• 03 Lateral SCOPE sts:AssumeRole chain 03:19 EDT
• 04 The Open Door CONTAIN s3:PutBucketReplication 06:41 EDT
• 05 Ghosts in the Machine DIAGNOSE iam:CreateUser — t-3d
• 06 New Perimeter RECOVER iam:DetachUserPolicy 10:37 EDT

A technical reader's brain already files information in a specific shape. The page meets that shape.

• Chain-of-custody front matter. INC-2025-0313-A · CLASSIFICATION: INTERNAL · DISTRIBUTION: Security, Legal, Board · AUTHOR: M. [REDACTED]. You pick up the book believing you've acquired a leaked incident document.
• IR-phase chapter pills. DETECT → INVESTIGATE → SCOPE → CONTAIN → DIAGNOSE → RECOVER. Invisible to general readers, instantly familiar to practitioners.
• Evidence as epigraph. Every chapter opens with the real CloudTrail event that defines it. PascalCase correct, field names correct, account IDs 12-digit-valid.
• The 66-minute CloudTrail blindspot. StopLogging at 06:11:43Z. Maya's StartLogging at 07:18:00Z. The book renders that gap as a near-black page: — no events logged —. You feel the blindness.
• STS session TTL gutter. Chapter 4 is the false-victory chapter. Maya revokes VEGA's key; his STS session survives for another 2h 26m. That countdown lives as a vertical rail on every Ch.4 page. Vault-timer energy.
• Line-number page footers. L.0042. The book reads like a log file.
• Analyst's-note callouts. Red-bordered Chekhov's-gun notes flag detection gaps that pay off in later chapters. Secret pleasure on rereads.
• AWS-org endpaper. The 45 accounts as a hub-spoke map, compromised accounts in red, lateral path marked.
• Cerberus Market coda. The post-credits scene rendered as a faux onion-site listing. The last word of the book is "Price."

• Maya — solo security engineer, first-person narrator. Thinks in CloudTrail events.
• VEGA — professional data broker. Bought Marcus's stolen credential on Cerberus Market. His logic is internally consistent — and that's what makes him dangerous.
• Marcus Chen — former contractor. Sold credentials he forgot to delete. Didn't know what he was enabling.
• Erik — VP Engineering. Not a villain. Just overwhelmed.
• Kira — senior dev on payments. Maya's closest thing to an ally.

Read Assumed Role online →

› or download PDF (327 KB)

> After this one, the sequel picks up the thread: Signed & Sealed — Book II. A supply-chain attack at a healthcare SaaS. The same Marcus, six months later.