Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

Awesome-CloudSec-Labs

Awesome free cloud native security learning labs. Includes CTF, self-hosted workshops, guided vulnerability labs, and research labs.
https://github.com/iknowjason/Awesome-CloudSec-Labs

Last synced: 1 day ago
JSON representation

  • Sorted by Technology and Category

    • Pentesting.Cloud - hosted, Author-hosted CTF labs | [Nicholas Gilbert](https://www.linkedin.com/in/nicksecurity/) | 17 free labs, requires registration, some labs are bring your own AWS account and use cloudformation to create |
    • AWS Well-Architected Security Workshop - hosted, guided labs | AWS Well-Architected | Several hands-on-labs to help you learn, measure, and improve the security of your architecture using best practices from the Security pillar of the AWS Well-Architected Framework. |
    • flaws.cloud - hosted, CTF challenge | [Scott Piper](https://twitter.com/0xdabbad00) | Challenge style with levels and clues |
    • flaws2.cloud - hosted, CTF challenge | [Scott Piper](https://twitter.com/0xdabbad00) | Challenge style Attacker and Defender paths |
    • AWSGoat - hosted, attack and defense manuals | Multiple, ine-labs | Bring your own aws account, Build with terraform, two modules, provides attack and defense manuals |
    • Sadcloud - hosted | Multiple, [NCC Group](https://www.nccgroup.com) | Terraform code; not guided like CloudGoat |
    • DVCA - hosted demo lab | [Maxime Leblanc](https://medium.com/@mleblanc_82306) | Deploy a Damn Vulnerable Cloud Application in your own AWS account to practice privilege escalation |
    • lambhack - hosted lab | [James Wickett](https://twitter.com/wickett) | Deploy a very vulnerable AWS lambda serverless application in your AWS account |
    • BadZure - hosted lab | [Mauricio Velazco](https://twitter.com/mvelazco) | Powershell Graph SDK script that spins up your own Azure AD (Entra ID) lab with attack paths. Currently no walk through or guide. |
    • Mandiant Azure Workshop - hosted, guided commands | Multiple | Vulnerable by design Azure lab with two scenarios; build with terraform |
    • AzureGoat - hosted, attack and defense manuals | Multiple, ine-labs | Bring your own Azure tenant, Build with terraform, one module, provides attack and defense manuals |
    • XMGoat - hosted, guided labs | Multiple | Build with terraform, 5 scenarios, solution docs provided |
    • CONVEX - hosted, CTF | Multiple | Spin up three Capture the Flag environments in your Azure tenant using powershell |
    • GCPGoat (ine-labs) - hosted, attack and defense manuals| Multiple, ine-labs | Bring your own GCP account, Build with terraform, one module, provides attack and defense manuals |
    • Kubernetes Goat - hosted, multi-cloud, K3S| [Madhu Akula](https://twitter.com/madhuakula) | Create and host in your own cloud account (GKE, EKS, AKS) or K3S and attack, has a guided workbook |
    • Kube Security Lab
    • Contained.af - hosted Challenge| [Jessie Frazelle](https://twitter.com/jessfraz) | A container escape challenge, break out of it and email the author|
    • TerraGoat - hosted multi-cloud (AWS, Azure, GCP)| Multiple, [Bridgecrew](https://www.bridgecrew.io/) | Vulnerable by design terraform repository|
    • SimuLand
    • CNAPPgoat - multicloud-open-source-tool-for-deploying-vulnerable-by-design-cloud-resources/) | Using Pulumi, modularly provision vulnerable-by-design components in AWS, GCP, Azure|
    • CI/CD Goat - code-security) | Deliberately vulnerable CI/CD environment, hacking CI/CD pipelines with CTF. Host locally with docker.|
    • Github Actions Goat - hosted Github | [StepSecurity](https://www.stepsecurity.io/) | Deliberately vulnerable Github Actions CI/CD environment, hosted in your own Github account. Includes threat scenario descriptions mapped to vulnerabilities.|
    • CloudGoat - hosted, guided vulnerability lab | Multiple, [Rhino Security Labs](https://rhinosecuritylabs.com/) | Python orchestration of terraform |
    • Attacking and Defending Serverless Applications - hosted, guided vulnerability workshop | [Ryan Nicholson](https://twitter.com/ryananicholson) | Attack and defend a Lambda that you build in your own AWS account with author provided terraform |
    • IAM Vulnerable - hosted, guided vulnerability lab | [Seth Art](https://twitter.com/sethsec) | IAM-focused priv esc playground with 31 pathways, create in your own AWS account using terraform, solid docs |
    • CloudFoxable - hosted CTF Challenge | [Seth Art](https://twitter.com/sethsec) | Create your own vulnerable by design AWS penetration testing playground |
    • The Big IAM Challenge - hosted CTF Challenge | [Wiz](https://www.wiz.io) | CTF challenge to identify and exploit IAM misconfigurations |
    • AWS CIRT Workshop - hosted, guided lab | AWS CIRT | Build with Cloudformation, explore 5 common incident response scenarios observed by AWS CIRT |
    • CloudSec Tidbits - hosted Challenge | [Doyensec](https://doyensec.com/) | Three web app security flaws specific to AWS cloud, self-hosted with terraform |
    • Broken Azure - hosted, CTF challenge | [Secura](https://github.com/SecuraBV/brokenbydesign-azure) | Provides hints, optionally self-host in your own Azure account using terraform |
    • K8s Lan Party
    • Bustakube - hosted, import VMs| [Jay Beale](https://twitter.com/jaybeale) | Vulnerable K8S cluster, Download the VMs to build cluster and import into VMWare, run it |
    • GCP Goat (Josh Jebaraj) - hosted, mdbook lab guide | [Josh Jebaraj](https://joshuajebaraj.com/) | Host in your own GCP account, build with provided scripts, nice guided lab workbook |
    • Thunder CTF - hosted, CTF| Multiple | Bring your own GCP account, 6 levels, practice attacking vulnerable cloud projects on GCP |
    • Container Security 101 - hosted, guided workshop| [Jon Zeolla](https://twitter.com/JonZeolla) | A guided vulnerability workshop, host in your AWS account, provided CloudFormation|
    • Kubecon NA 2019 CTF - hosted in GKE| Multiple | Create GCP account, has a guided workbook with two attack and defense scenarios plus bonus challenges|
    • CI/CDon't - hosted CTF walkthrough | [Nick Frichette](https://twitter.com/Frichette_n) | Host with terraform in your own AWS account, vulnerable CI/CD CTF infrastructure |
    • EKS Cluster Games

  • AWS

  • Research Labs

  • Azure

  • Container

Programming Languages
HCL 6 Python 4 JavaScript 3 PowerShell 3 Go 2 Shell 1 HTML 1 CSS 1 PHP 1
Categories
Sorted by Technology and Category 38 AWS 3 Research Labs 1 Container 1 Azure 1
Sub Categories
Keywords
security 4 devsecops 4 hacking 2 docker 2 cloudsecurity 2 cloud-security 2 terraform 2 cloud-native 1 blueteam 1 container 1 container-security 1 purpleteaming 1 azure-active-directory 1 infrastructure 1 k8s 1 kubernetes 1 kubernetes-goat 1 kubernetes-security 1 owasp 1 pentesting 1 redteam 1 aws 1 attack-simulator 1 attack-simulation 1 actions 1 jenkins 1 infosec 1 gitlab 1 devops 1 ctf 1 cicd 1 appsec 1 goat 1 gcp-security 1 azure-security 1 aws-security 1 syscalls 1 seccomp 1 opencontainers 1 linux 1 game 1 containers 1 apparmor 1 vulnerable-app 1