/Awesome-CloudSec-Labs

Awesome free cloud native security learning labs. Includes CTF, self-hosted workshops, guided vulnerability labs, and research labs.

Awesome Cloud Security Labs

A list of free cloud native security learning labs. Includes CTF, self-hosted workshops, guided vulnerability labs, and research labs.

Sorted by Technology and Category

Name Technology Category Author Notes
Pentesting.Cloud AWS Self-hosted, Author-hosted CTF labs Nicholas Gilbert 17 free labs, requires registration, some labs are bring your own AWS account and use cloudformation to create
AWS CIRT Workshop AWS Self-hosted, guided lab AWS CIRT Build with Cloudformation, explore 5 common incident response scenarios observed by AWS CIRT
CloudGoat AWS Self-hosted, guided vulnerability lab Multiple, Rhino Security Labs Python orchestration of terraform
Attacking and Defending Serverless Applications AWS Self-hosted, guided vulnerability workshop Ryan Nicholson Attack and defend a Lambda that you build in your own AWS account with author provided terraform
IAM Vulnerable AWS Self-hosted, guided vulnerability lab Seth Art IAM-focused priv esc playground with 31 pathways, create in your own AWS account using terraform, solid docs
flaws.cloud AWS Author-hosted, CTF challenge Scott Piper Challenge style with levels and clues
flaws2.cloud AWS Author-hosted, CTF challenge Scott Piper Challenge style Attacker and Defender paths
Sadcloud AWS Self-hosted Multiple, NCC Group Terraform code; not guided like CloudGoat
Broken Azure Azure Author-hosted, CTF challenge Secura Provides hints, optionally self-host in your own Azure account using terraform
PurpleCloud Azure AD Workshop Azure Self-hosted, guided vulnerability workshop Jason Ostrom Guided vulnerability workshop requires PurpleCloud and terraform; username and password is sec588
Mandiant Azure Workshop Azure Self-hosted, guided commands Multiple Vulnerable by design Azure lab with two scenarios; build with terraform
AzureGoat Azure Self-hosted, attack and defense manuals Multiple, ine-labs Bring your own Azure tenant, Build with terraform, one module, provides attack and defense manuals
XMGoat Azure Self-hosted, guided labs Multiple Build with terraform, 5 scenarios, solution docs provided
GCP Goat (Josh Jebaraj) GCP Self-hosted, mdbook lab guide Josh Jebaraj Host in your own GCP account, build with provided scripts, nice guided lab workbook
GCPGoat (ine-labs) GCP Self-hosted, attack and defense manuals Multiple, ine-labs Bring your own GCP account, Build with terraform, one module, provides attack and defense manuals
Bustakube Kubernetes Self-hosted, import VMs Jay Beale Vulnerable K8S cluster, Download the VMs to build cluster and import into VMWare, run it
Kubernetes Goat Kubernetes Self-hosted, multi-cloud, K3S Madhu Akula Create and host in your own cloud account (GKE, EKS, AKS) or K3S and attack, has a guided workbook
Kubecon NA 2019 CTF Kubernetes Self-hosted in GKE Multiple Create GCP account, has a guided workbook with two attack and defense scenarios plus bonus challenges
Container Security 101 Container Self-hosted, guided workshop Jon Zeolla A guided vulnerability workshop, host in your AWS account, provided CloudFormation
Contained.af Container Author-hosted Challenge Jessie Frazelle A container escape challenge, break out of it and email the author
TerraGoat Terraform Self-hosted multi-cloud (AWS, Azure, GCP) Multiple, Bridgecrew Vulnerable by design terraform repository
PurpleCloud Azure Research Lab Jason Ostrom Using python and terraform, build your own Azure security lab
SimuLand Azure Research Lab Roberto Rodriguez Using Azure RM templates, create your own Azure security lab

AWS

Pentesting.Cloud: 17 free labs. Requires site registration.

AWS CIRT Workshop: Build in your own AWS account and explore 5 common incident response scenarios as seen by the AWS CIRT team.

CloudGoat: Vulnerable by design AWS security labs with guided walkthrough.

Attacking and Defending Serverless Applications: Attack and defend a Lambda that you build in your own AWS account with author provided terraform and scripts. Very educational with workshop style feel.

IAM Vulnerable: Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground with 31 privilege escalation attack pathways. Very solid documentation.

flaws.cloud: Challenge style with levels and clues.

flaws2.cloud: Challenge style with both Attacker and Defender paths.

Sadcloud: Create vulnerable AWS services without a guide showing vulnerabilities.

Azure

Broken Azure: A vulnerable by design Azure infrastructure that you can attack.

PurpleCloud Azure AD Workshop: Guided vulnerability workshop simulating an enterprise Azure customer. It requires PurpleCloud and terraform; username and password is sec588

Mandiant Azure Workshop: Vulnerable by design Azure lab with two scenarios that you build in your own Azure tenant.

AzureGoat: Build one module with terraform and walk through the provided attack and defense manuals.

XMGoat: Build 5 scenarios in your Azure tenant and walk through solution docs provided.

GCP

GCP Goat (Josh Jebaraj): Host in your own GCP account and build with provided scripts. It has a nice guided lab workbook.

GCPGoat (ine-labs): Bring your own GCP account and build one module with terraform. Provides attack and defense manuals.

Kubernetes

Bustakube: Download a vulnerable K8S cluster as VMs that you can import and run locally in VMWare.

Kubernetes Goat: Create and host in your own cloud account (GKE, EKS, AKS) or K3S and attack. Includes a guided workbook.

Kubecon NA 2019 CTF: Awesome CTF that you create in your GCP account. Has a guided workbook with two attack and defense scenarios plus bonus challenges.

Container

Container Security 101: A guided vulnerability workshop that is hosted in your AWS account. Author has provided a nice lab you follow on the webpage and you build a VM with CloudFormation and then create a container.

Contained.af: A container escape challenge, break out of it and email the author.

Terraform

TerraGoat: Vulnerable by design terraform repository.

Research Labs

PurpleCloud: Using python and terraform, build your own Azure security lab.

SimuLand: Using Azure RM templates, create your own Azure security lab.