Building an Internal SOC Training Lab on AWS

Category: Technical Tutorial | Updated: November 2025 | Level: Advanced

For organizations that cannot yet afford a commercial cyber range like SimSpace, building an internal "Home Range" on AWS is a viable interim solution. This guide outlines the architecture for deploying a Security Onion sensor grid alongside vulnerable Windows/Linux targets using Infrastructure as Code (IaC).

The Architecture

We will utilize a standard VPC topology with public and private subnets to simulate a corporate network DMZ.

VPC: 10.0.0.0/16 (The "Corporate" Network)
Public Subnet: Contains the "Jump Box" and Web Servers (Honey Pot).
Private Subnet: Contains the Domain Controller (Active Directory) and SQL Database.
Security Group: Restricted to Allow 443/80 ingress only from specific IPs.

Step 1: The CloudFormation Template

Instead of manually clicking through the AWS Console, we define our range state using CloudFormation. Below is a snippet of the YAML configuration for the VPC setup:

Resources:
  LabVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      Tags:
        - Key: Name
          Value: SOC-Training-Range-v1
    

Step 2: Deploying the Sensors

We recommend deploying Security Onion on a t3.xlarge instance. It provides built-in Zeek, Suricata, and Kibana for log analysis. You must configure Traffic Mirroring on the AWS Nitro-based instances to send packet copies to the Security Onion interface.

Step 3: The Attack Simulation

Once the range is live, use a Kali Linux instance (deployed in a separate "Attacker" VPC peering connection) to launch automated attacks using tools like Atomic Red Team. This generates the "noise" your SOC analysts need to investigate.

Want the Full Template?

We provide the full CloudFormation JSON/YAML templates to our enterprise partners. Request a demo to discuss custom range architecture.

Request Architecture Demo