For organizations that cannot yet afford a commercial cyber range like SimSpace, building an internal "Home Range" on AWS is a viable interim solution. This guide outlines the architecture for deploying a Security Onion sensor grid alongside vulnerable Windows/Linux targets using Infrastructure as Code (IaC).
Throughout my military career — in garrison and downrange alike — one truth held constant: building smart with what you have beats waiting on a budget that may never come.
We will utilize a standard VPC topology with public and private subnets to simulate a corporate network DMZ.
Instead of manually clicking through the AWS Console, we define our range state using CloudFormation. Below is a snippet of the YAML configuration for the VPC setup:
We recommend deploying Security Onion on a t3.xlarge instance. It provides built-in Zeek, Suricata, and Kibana for log analysis. You must configure Traffic Mirroring on the AWS Nitro-based instances to send packet copies to the Security Onion interface.
Once the range is live, use a Kali Linux instance (deployed in a separate "Attacker" VPC peering connection) to launch automated attacks using tools like Atomic Red Team. This generates the "noise" your SOC analysts need to investigate.
Have questions about adapting this architecture for your environment? Reach out directly and I'll point you in the right direction.
Discuss Lab Architecture