Working with CloudGoat: The “vulnerable by design” AWS environment


Many organizations today are leveraging the cloud to transform their business. However, the adoption of cloud technology introduces associated risks, security and privacy concerns. One of these risks are misconfigured cloud environments.

What is CloudGoat?

CloudGoat is a “vulnerable by design” AWS deployment tool designed by Rhino Security Labs. It is used to deploy a vulnerable set of AWS resources. It is designed to teach and test cloud security penetration testing via issues commonly seen in real-life environments.

Each scenario is designed in a Capture the Flag (CTF) style where AWS resources are deployed to an existing environment. In each scenario, you’ll need to explore the AWS environment and its resources, demonstrate understanding of the issue by exploiting the vulnerabilities.

Currently, there are seven (7) scenarios which explores various attack vectors and vulnerabilities such as:

IAM permissions Misconfigured EC2 instances, lambda functions and elastic load balancers Misconfigured web applications Evading detection Default settings, configurations and software

The goals when exploiting the CloudGoat environment are:

Privilege escalation Logging/monitoring evasion Data and information enumeration Data exfiltration Persistent access Pacu AWS

Pacu is a comprehensive open-source AWS exploitation framework designed by Rhino Security Labs for penetration testing on

Read More: