Home

Awesome

Awesome Cloud Security Labs

A list of free cloud native security learning labs. Includes CTF, self-hosted workshops, guided vulnerability labs, and research labs.

Sorted by Technology and Category

NameTechnologyCategoryAuthorNotes
CloudFoxableAWSSelf-hosted CTF ChallengeSeth ArtCreate your own vulnerable by design AWS penetration testing playground
Pwned LabsAWSAuthor-hosted Guided Labs, CTFIan AustinRequires account registration; Commercial paid subscriptions; free hosted labs for learning cloud security
The Big IAM ChallengeAWSAuthor-hosted CTF ChallengeWizCTF challenge to identify and exploit IAM misconfigurations
CloudSec TidbitsAWSSelf-hosted ChallengeDoyensecThree web app security flaws specific to AWS cloud, self-hosted with terraform
AWS Well-Architected Security WorkshopAWSSelf-hosted, guided labsAWS Well-ArchitectedSeveral hands-on-labs to help you learn, measure, and improve the security of your architecture using best practices from the Security pillar of the AWS Well-Architected Framework.
AWS CIRT WorkshopAWSSelf-hosted, guided labAWS CIRTBuild with Cloudformation, explore 5 common incident response scenarios observed by AWS CIRT
CloudGoatAWSSelf-hosted, guided vulnerability labMultiple, Rhino Security LabsPython orchestration of terraform
Attacking and Defending Serverless ApplicationsAWSSelf-hosted, guided vulnerability workshopRyan NicholsonAttack and defend a Lambda that you build in your own AWS account with author provided terraform
IAM VulnerableAWSSelf-hosted, guided vulnerability labSeth ArtIAM-focused priv esc playground with 31 pathways, create in your own AWS account using terraform, solid docs
flaws.cloudAWSAuthor-hosted, CTF challengeScott PiperChallenge style with levels and clues
flaws2.cloudAWSAuthor-hosted, CTF challengeScott PiperChallenge style Attacker and Defender paths
CI/CDon'tAWSSelf-hosted CTF walkthroughNick FrichetteHost with terraform in your own AWS account, vulnerable CI/CD CTF infrastructure
AWSGoatAWSSelf-hosted, attack and defense manualsMultiple, ine-labsBring your own aws account, Build with terraform, two modules, provides attack and defense manuals
SadcloudAWSSelf-hostedMultiple, NCC GroupTerraform code; not guided like CloudGoat
DVCAAWSSelf-hosted demo labMaxime LeblancDeploy a Damn Vulnerable Cloud Application in your own AWS account to practice privilege escalation
lambhackAWSSelf-hosted labJames WickettDeploy a very vulnerable AWS lambda serverless application in your AWS account
BadZureAzureSelf-hosted labMauricio VelazcoPowershell Graph SDK script that spins up your own Azure AD (Entra ID) lab with attack paths. Currently no walk through or guide.
Broken AzureAzureAuthor-hosted, CTF challengeSecuraProvides hints, optionally self-host in your own Azure account using terraform
Mandiant Azure WorkshopAzureSelf-hosted, guided commandsMultipleVulnerable by design Azure lab with two scenarios; build with terraform
AzureGoatAzureSelf-hosted, attack and defense manualsMultiple, ine-labsBring your own Azure tenant, Build with terraform, one module, provides attack and defense manuals
XMGoatAzureSelf-hosted, guided labsMultipleBuild with terraform, 5 scenarios, solution docs provided
CONVEXAzureSelf-hosted, CTFMultipleSpin up three Capture the Flag environments in your Azure tenant using powershell
GCP CTF WorkshopGCPSelf-hosted, lab guideMarion Säckel, Marcus HallbergHost in your own GCP account, build with terraform using bash setup script, solution and hints provided
GCP Goat (Josh Jebaraj)GCPSelf-hosted, mdbook lab guideJosh JebarajHost in your own GCP account, build with provided scripts, nice guided lab workbook
GCPGoat (ine-labs)GCPSelf-hosted, attack and defense manualsMultiple, ine-labsBring your own GCP account, Build with terraform, one module, provides attack and defense manuals
Thunder CTFGCPSelf-hosted, CTFMultipleBring your own GCP account, 6 levels, practice attacking vulnerable cloud projects on GCP
K8s Lan PartyKubernetesAuthor hosted, CTF challengeWiz To dive into a network full of misconfigurations and exploit vulnerabilities with the goal of conquering a Kubernetes cluster
EKS Cluster GamesKubernetesAuthor hosted, CTF challengeWiz Vulnerable EKS pod with flag challenges across environment, with leaderboard and requires registration
BustakubeKubernetesSelf-hosted, import VMsJay BealeVulnerable K8S cluster, Download the VMs to build cluster and import into VMWare, run it
Kubernetes GoatKubernetesSelf-hosted, multi-cloud, K3SMadhu AkulaCreate and host in your own cloud account (GKE, EKS, AKS) or K3S and attack, has a guided workbook
Kubecon NA 2019 CTFKubernetesSelf-hosted in GKEMultipleCreate GCP account, has a guided workbook with two attack and defense scenarios plus bonus challenges
Kube Security LabKubernetesLocal, kubernetes in dockerRory McCuneAn awesome local lab to create 14 vulnerable Kubernetes clusters using Docker, Ansible, and Kind. Attack them after building, then destroy. Includes walkthroughs.
Container Security 101ContainerSelf-hosted, guided workshopJon ZeollaA guided vulnerability workshop, host in your AWS account, provided CloudFormation
Contained.afContainerSelf-hosted ChallengeJessie FrazelleA container escape challenge, break out of it and email the author
TerraGoatTerraformSelf-hosted multi-cloud (AWS, Azure, GCP)Multiple, BridgecrewVulnerable by design terraform repository
PurpleCloudAzureResearch LabJason OstromUsing python and terraform, build your own Azure security lab
SimuLandAzureResearch LabRoberto RodriguezUsing Azure RM templates, create your own Azure security lab
CNAPPgoatAWS, Azure, GCPResearch LabErmetic ResearchUsing Pulumi, modularly provision vulnerable-by-design components in AWS, GCP, Azure
CI/CD GoatCI/CDCTF, local dockerPalo AltoDeliberately vulnerable CI/CD environment, hacking CI/CD pipelines with CTF. Host locally with docker.
Github Actions GoatCI/CDSelf-hosted GithubStepSecurityDeliberately vulnerable Github Actions CI/CD environment, hosted in your own Github account. Includes threat scenario descriptions mapped to vulnerabilities.

AWS

CloudFoxable: Create your own vulnerable by design AWS penetration testing playground.

Pwned Labs: Requires a login. Offers paid subscriptions. Free hosted labs for learning cloud security.

The Big IAM Challenge: CTF challenge to identify and exploit IAM misconfigurations.

CloudSec Tidbits: Three web app security flaws specific to AWS cloud, self-hosted with terraform.

AWS CIRT Workshop: Build in your own AWS account and explore 5 common incident response scenarios as seen by the AWS CIRT team.

CloudGoat: Vulnerable by design AWS security labs with guided walkthrough.

Attacking and Defending Serverless Applications: Attack and defend a Lambda that you build in your own AWS account with author provided terraform and scripts. Very educational with workshop style feel.

IAM Vulnerable: Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground with 31 privilege escalation attack pathways. Very solid documentation.

flaws.cloud: Challenge style with levels and clues.

flaws2.cloud: Challenge style with both Attacker and Defender paths.

CI/CDon't: A vulnerable CI/CD CTF challenge hosted in your aws account with terraform. Includes a walkthrough.

AWSGoat: A damn vulnerable AWS infrastructure with two attack and defense manuals.

Sadcloud: Create vulnerable AWS services without a guide showing vulnerabilities.

DVCA: Deploy a Damn Vulnerable Cloud Application in your own AWS account to practice privilege escalation.

lambhack: Deploy a very vulnerable AWS lambda serverless application in your AWS account.

AWS Well-Architected Security Workshop: Self-deployed hands-on-labs to help you learn, measure, and improve the security of your architecture using best practices from the Security pillar of the AWS Well-Architected Framework.

Azure

BadZure: Powershell Graph SDK script that spins up your own Azure AD (Entra ID) lab with attack paths. Currently no walk through or guide.

Broken Azure: A vulnerable by design Azure infrastructure that you can attack.

Mandiant Azure Workshop: Vulnerable by design Azure lab with two scenarios that you build in your own Azure tenant.

AzureGoat: Build one module with terraform and walk through the provided attack and defense manuals.

XMGoat: Build 5 scenarios in your Azure tenant and walk through solution docs provided.

CONVEX: Spin up three Capture the Flag environments in your Azure tenant using powershell.

GCP

| GCP CTF Workshop: Self-hosted, lab guide. Host in your own GCP account, build with terraform using bash setup script, solution and hints provided.

GCP Goat (Josh Jebaraj): Host in your own GCP account and build with provided scripts. It has a nice guided lab workbook.

GCPGoat (ine-labs): Bring your own GCP account and build one module with terraform. Provides attack and defense manuals.

Thunder CTF: Bring your own GCP account, 6 levels, practice attacking vulnerable cloud projects on GCP.

Kubernetes

K8s Lan Party: To dive into a network full of misconfigurations and exploit vulnerabilities with the goal of conquering a Kubernetes cluster, with leaderboard and requires registration.

EKS Cluster Games: Vulnerable EKS pod with flag challenges across environment, with leaderboard and requires registration.

Bustakube: Download a vulnerable K8S cluster as VMs that you can import and run locally in VMWare.

Kubernetes Goat: Create and host in your own cloud account (GKE, EKS, AKS) or K3S and attack. Includes a guided workbook.

Kubecon NA 2019 CTF: Awesome CTF that you create in your GCP account. Has a guided workbook with two attack and defense scenarios plus bonus challenges.

Kube Security Lab: An awesome local lab to create 14 vulnerable Kubernetes clusters using Docker, Ansible, and Kind. Attack them after building, then destroy. Inludes walkthroughs.

Container

Container Security 101: A guided vulnerability workshop that is hosted in your AWS account. Author has provided a nice lab you follow on the webpage and you build a VM with CloudFormation and then create a container.

Contained.af: A container escape challenge, break out of it and email the author.

Terraform

TerraGoat: Vulnerable by design terraform repository.

Research Labs

PurpleCloud: Using python and terraform, build your own Azure security lab.

SimuLand: Using Azure RM templates, create your own Azure security lab.

CNAPPgoat: Using Pulumi, modularly provision vulnerable-by-design components in AWS, GCP, Azure. The vulnerabilities are modular scenarios with no guided walkthrough existing yet.

CI/CD

CI/CD Goat: Deliberately vulnerable CI/CD environment, hacking CI/CD pipelines with CTF. Host locally with docker.

Github Actions Goat: Deliberately vulnerable Github Actions CI/CD environment, hosted in your own Github account. Includes threat scenario descriptions mapped to vulnerabilities.