CloudGoat walkthrough series: Cloud Breach S3

This is the second in the walkthrough series of the CloudGoat scenarios. CloudGoat is a “vulnerable by design” AWS deployment tool designed by Rhino Security Labs. It is used to deploy a vulnerable set of AWS resources and is designed to teach and test cloud security penetration testing via issues commonly seen in real-life environments.


This scenario is inspired by the Capital One breach. In case you are unfamiliar with the Capital One breach, here is a brief summary: in 2019, a bad actor accessed data stored in AWS S3 buckets owned by Capital One and posted the exfiltrated data on GitHub. The bad actor gained access to the S3 bucket by exploiting a misconfigured AWS service (in this case it seems to be a firewall) to run commands on the Elastic Cloud Compute (EC2) Instance.

In addition, the EC2 Instance also had an Identity and Access Management (IAM) role assigned, which allowed anyone who had access to the server to access AWS resources such as the AWS S3 buckets. The bad actor also bragged about their actions on a Slack channel and on Twitter.

This walkthrough assumes you have CloudGoat set up on your Kali Linux. You

Read More: