/Awesome-CloudSec-Labs

Awesome free cloud native security learning labs. Includes CTF, self-hosted workshops, guided vulnerability labs, and research labs.

Awesome Cloud Security Labs

A list of free cloud native security learning labs. Includes CTF, self-hosted workshops, guided vulnerability labs, and research labs.

Sorted by Technology and Category

Name Technology Category Author Notes
CloudFoxable AWS Self-hosted CTF Challenge Seth Art Create your own vulnerable by design AWS penetration testing playground
The Big IAM Challenge AWS Author-hosted CTF Challenge Wiz CTF challenge to identify and exploit IAM misconfigurations
CloudSec Tidbits AWS Self-hosted Challenge Doyensec Three web app security flaws specific to AWS cloud, self-hosted with terraform
Pentesting.Cloud AWS Self-hosted, Author-hosted CTF labs Nicholas Gilbert 17 free labs, requires registration, some labs are bring your own AWS account and use cloudformation to create
AWS CIRT Workshop AWS Self-hosted, guided lab AWS CIRT Build with Cloudformation, explore 5 common incident response scenarios observed by AWS CIRT
CloudGoat AWS Self-hosted, guided vulnerability lab Multiple, Rhino Security Labs Python orchestration of terraform
Attacking and Defending Serverless Applications AWS Self-hosted, guided vulnerability workshop Ryan Nicholson Attack and defend a Lambda that you build in your own AWS account with author provided terraform
IAM Vulnerable AWS Self-hosted, guided vulnerability lab Seth Art IAM-focused priv esc playground with 31 pathways, create in your own AWS account using terraform, solid docs
flaws.cloud AWS Author-hosted, CTF challenge Scott Piper Challenge style with levels and clues
flaws2.cloud AWS Author-hosted, CTF challenge Scott Piper Challenge style Attacker and Defender paths
CI/CDon't AWS Self-hosted CTF walkthrough Nick Frichette Host with terraform in your own AWS account, vulnerable CI/CD CTF infrastructure
AWSGoat AWS Self-hosted, attack and defense manuals Multiple, ine-labs Bring your own aws account, Build with terraform, two modules, provides attack and defense manuals
Sadcloud AWS Self-hosted Multiple, NCC Group Terraform code; not guided like CloudGoat
DVCA AWS Self-hosted demo lab Maxime Leblanc Deploy a Damn Vulnerable Cloud Application in your own AWS account to practice privilege escalation
lambhack AWS Self-hosted lab James Wickett Deploy a very vulnerable AWS lambda serverless application in your AWS account
BadZure Azure Self-hosted lab Mauricio Velazco Powershell Graph SDK script that spins up your own Azure AD (Entra ID) lab with attack paths. Currently no walk through or guide.
Broken Azure Azure Author-hosted, CTF challenge Secura Provides hints, optionally self-host in your own Azure account using terraform
PurpleCloud Azure AD Workshop Azure Self-hosted, guided vulnerability workshop Jason Ostrom Guided vulnerability workshop requires PurpleCloud and terraform; username and password is sec588
Mandiant Azure Workshop Azure Self-hosted, guided commands Multiple Vulnerable by design Azure lab with two scenarios; build with terraform
AzureGoat Azure Self-hosted, attack and defense manuals Multiple, ine-labs Bring your own Azure tenant, Build with terraform, one module, provides attack and defense manuals
XMGoat Azure Self-hosted, guided labs Multiple Build with terraform, 5 scenarios, solution docs provided
CONVEX Azure Self-hosted, CTF Multiple Spin up three Capture the Flag environments in your Azure tenant using powershell
GCP Goat (Josh Jebaraj) GCP Self-hosted, mdbook lab guide Josh Jebaraj Host in your own GCP account, build with provided scripts, nice guided lab workbook
GCPGoat (ine-labs) GCP Self-hosted, attack and defense manuals Multiple, ine-labs Bring your own GCP account, Build with terraform, one module, provides attack and defense manuals
Thunder CTF GCP Self-hosted, CTF Multiple Bring your own GCP account, 6 levels, practice attacking vulnerable cloud projects on GCP
Bustakube Kubernetes Self-hosted, import VMs Jay Beale Vulnerable K8S cluster, Download the VMs to build cluster and import into VMWare, run it
Kubernetes Goat Kubernetes Self-hosted, multi-cloud, K3S Madhu Akula Create and host in your own cloud account (GKE, EKS, AKS) or K3S and attack, has a guided workbook
Kubecon NA 2019 CTF Kubernetes Self-hosted in GKE Multiple Create GCP account, has a guided workbook with two attack and defense scenarios plus bonus challenges
Kube Security Lab Kubernetes Local, kubernetes in docker Rory McCune An awesome local lab to create 14 vulnerable Kubernetes clusters using Docker, Ansible, and Kind. Attack them after building, then destroy. Includes walkthroughs.
Container Security 101 Container Self-hosted, guided workshop Jon Zeolla A guided vulnerability workshop, host in your AWS account, provided CloudFormation
Contained.af Container Author-hosted Challenge Jessie Frazelle A container escape challenge, break out of it and email the author
TerraGoat Terraform Self-hosted multi-cloud (AWS, Azure, GCP) Multiple, Bridgecrew Vulnerable by design terraform repository
PurpleCloud Azure Research Lab Jason Ostrom Using python and terraform, build your own Azure security lab
SimuLand Azure Research Lab Roberto Rodriguez Using Azure RM templates, create your own Azure security lab
CNAPPgoat AWS, Azure, GCP Research Lab Ermetic Research Using Pulumi, modularly provision vulnerable-by-design components in AWS, GCP, Azure
CI/CD Goat CI/CD CTF, local docker Palo Alto Deliberately vulnerable CI/CD environment, hacking CI/CD pipelines with CTF. Host locally with docker.
Github Actions Goat CI/CD Self-hosted Github StepSecurity Deliberately vulnerable Github Actions CI/CD environment, hosted in your own Github account. Includes threat scenario descriptions mapped to vulnerabilities.

AWS

CloudFoxable: Create your own vulnerable by design AWS penetration testing playground.

The Big IAM Challenge: CTF challenge to identify and exploit IAM misconfigurations.

CloudSec Tidbits: Three web app security flaws specific to AWS cloud, self-hosted with terraform.

Pentesting.Cloud: 17 free labs. Requires site registration.

AWS CIRT Workshop: Build in your own AWS account and explore 5 common incident response scenarios as seen by the AWS CIRT team.

CloudGoat: Vulnerable by design AWS security labs with guided walkthrough.

Attacking and Defending Serverless Applications: Attack and defend a Lambda that you build in your own AWS account with author provided terraform and scripts. Very educational with workshop style feel.

IAM Vulnerable: Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground with 31 privilege escalation attack pathways. Very solid documentation.

flaws.cloud: Challenge style with levels and clues.

flaws2.cloud: Challenge style with both Attacker and Defender paths.

CI/CDon't: A vulnerable CI/CD CTF challenge hosted in your aws account with terraform. Includes a walkthrough.

AWSGoat: A damn vulnerable AWS infrastructure with two attack and defense manuals.

Sadcloud: Create vulnerable AWS services without a guide showing vulnerabilities.

DVCA: Deploy a Damn Vulnerable Cloud Application in your own AWS account to practice privilege escalation.

lambhack: Deploy a very vulnerable AWS lambda serverless application in your AWS account.

Azure

BadZure: Powershell Graph SDK script that spins up your own Azure AD (Entra ID) lab with attack paths. Currently no walk through or guide.

Broken Azure: A vulnerable by design Azure infrastructure that you can attack.

PurpleCloud Azure AD Workshop: Guided vulnerability workshop simulating an enterprise Azure customer. It requires PurpleCloud and terraform; username and password is sec588

Mandiant Azure Workshop: Vulnerable by design Azure lab with two scenarios that you build in your own Azure tenant.

AzureGoat: Build one module with terraform and walk through the provided attack and defense manuals.

XMGoat: Build 5 scenarios in your Azure tenant and walk through solution docs provided.

CONVEX: Spin up three Capture the Flag environments in your Azure tenant using powershell.

GCP

GCP Goat (Josh Jebaraj): Host in your own GCP account and build with provided scripts. It has a nice guided lab workbook.

GCPGoat (ine-labs): Bring your own GCP account and build one module with terraform. Provides attack and defense manuals.

Thunder CTF: Bring your own GCP account, 6 levels, practice attacking vulnerable cloud projects on GCP.

Kubernetes

Bustakube: Download a vulnerable K8S cluster as VMs that you can import and run locally in VMWare.

Kubernetes Goat: Create and host in your own cloud account (GKE, EKS, AKS) or K3S and attack. Includes a guided workbook.

Kubecon NA 2019 CTF: Awesome CTF that you create in your GCP account. Has a guided workbook with two attack and defense scenarios plus bonus challenges.

Kube Security Lab: An awesome local lab to create 14 vulnerable Kubernetes clusters using Docker, Ansible, and Kind. Attack them after building, then destroy. Inludes walkthroughs.

Container

Container Security 101: A guided vulnerability workshop that is hosted in your AWS account. Author has provided a nice lab you follow on the webpage and you build a VM with CloudFormation and then create a container.

Contained.af: A container escape challenge, break out of it and email the author.

Terraform

TerraGoat: Vulnerable by design terraform repository.

Research Labs

PurpleCloud: Using python and terraform, build your own Azure security lab.

SimuLand: Using Azure RM templates, create your own Azure security lab.

CNAPPgoat: Using Pulumi, modularly provision vulnerable-by-design components in AWS, GCP, Azure. The vulnerabilities are modular scenarios with no guided walkthrough existing yet.

CI/CD

CI/CD Goat: Deliberately vulnerable CI/CD environment, hacking CI/CD pipelines with CTF. Host locally with docker.

Github Actions Goat: Deliberately vulnerable Github Actions CI/CD environment, hosted in your own Github account. Includes threat scenario descriptions mapped to vulnerabilities.