Question 1

How do I deploy Leonidas in an AWS account?

Accepted Answer

Leonidas is deployed via an AWS-native CI/CD pipeline, with detailed instructions in the 'Deploying Leonidas' documentation. This involves setting up infrastructure as code and securing the API with keys, which can be complex for teams without existing AWS expertise.

Question 2

Leonidas vs Atomic Red Team: which is better for cloud security testing?

Accepted Answer

Leonidas focuses specifically on cloud environments with automated detection generation for AWS and K8S, while Atomic Red Team is broader for endpoint security. Choose Leonidas for integrated attack simulation and Sigma rule output in cloud contexts, but Atomic Red Team for more diverse technique coverage.

Question 3

Can Leonidas generate rules for cloud platforms other than AWS and Kubernetes?

Accepted Answer

No, Leonidas is currently limited to AWS and Kubernetes. The README specifies platform: aws in definitions, and K8S support was added in 2024, but there's no mention of support for Azure, GCP, or other providers.

Question 4

What permissions are needed to run Leonidas tests in AWS?

Accepted Answer

Each YAML definition includes a permissions section, such as 'cloudtrail:DescribeTrails' in the example, specifying exact AWS IAM permissions. This ensures least privilege access but requires careful IAM policy setup for execution.

Question 5

How to write a custom TTP definition in Leonidas YAML format?

Accepted Answer

Refer to the 'Writing Definitions' documentation and the example YAML in the README. Key fields include name, description, mitre_ids, platform, permissions, and executors with code snippets for sh or leonidas_aws, requiring knowledge of both attacker techniques and the syntax.

Leonidas

What is Leonidas?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions