CloudGoat walkthrough series: Lambda Privilege Escalation

This is the third in our walkthrough series of CloudGoat scenarios. CloudGoat is a “vulnerable by design” AWS deployment tool designed by Rhino Security Labs. It is used to deploy a vulnerable set of AWS resources and is designed to teach and test cloud security penetration testing via issues commonly seen in real-life environments.

This walkthrough assumes you have CloudGoat setup on your Kali Linux. You can use our Working with CloudGoat: The “vulnerable by design” AWS environment post as a guide in deploying it.

Scenario summary

The scenario starts with the IAM user Chris, where the attacker discovers that they can assume a role that has full Lambda access and pass role permissions. The attacker can then perform privilege escalation to obtain full admin access.

The goal of the scenario is to download the confidential files from the S3 bucket.


To deploy the resources for each scenario on AWS:

./ create lambda_privesc

1. Deploying the resources gives us the access key and secret key for Chris:

2. Save the credential to a profile – Chris:

./ create lambda_privesc

3. Enumerate the policies and permissions attached to the user “Chris” and see what privileges the user

Read More: