Awesome free cloud native security learning labs. Includes CTF, self-hosted workshops, guided vulnerability labs, and research labs.
| README.md | ||
Awesome Cloud Security Labs
A list of free cloud native security learning labs. Includes CTF, self-hosted workshops, guided vulnerability labs, and research labs.
Sorted by Technology and Category
| Name | Technology | Category | Author | Notes |
|---|---|---|---|---|
| AWS CIRT Workshop | AWS | Self-hosted, guided vulnerability lab | AWS CIRT | Build with Cloudformation |
| CloudGoat | AWS | Self-hosted, guided vulnerability lab | Multiple, Rhino Security Labs | Python orchestration of terraform |
| Attacking and Defending Serverless Applications | AWS | Self-hosted, guided vulnerability lab | Ryan Nicholson | Attack and defend a Lambda that you build in your own AWS account with author provided terraform |
| flaws.cloud | AWS | Author-hosted, CTF challenge | Scott Piper | Challenge style with levels and clues |
| flaws2.cloud | AWS | Author-hosted, CTF challenge | Scott Piper | Challenge style Attacker and Defender paths |
| Sadcloud | AWS | Self-hosted | Multiple, NCC Group | Terraform code; not guided like CloudGoat |
| Broken Azure | Azure | Author-hosted, CTF challenge | Secura | Provides hints, self-host in your own Azure account using terraform |
| PurpleCloud Azure AD Workshop | Azure | Self-hosted, guided vulnerability workshop | Jason Ostrom | Guided vulnerability lab requires PurpleCloud and terraform; username and password is sec588 |
| Mandiant Azure Workshop | Azure | Self-hosted, guided commands | Multiple | Vulnerable by design Azure lab with two scenarios; build with terraform |
| AzureGoat | Azure | Self-hosted, attack and defense manuals | Multiple, ine-labs | Bring your own Azure tenant, Build with terraform, one module, provides attack and defense manuals |
| XMGoat | Azure | Self-hosted, guided labs | Multiple | Build with terraform, 5 scenarios, solution docs provided |
| GCP Goat (Josh Jebaraj) | GCP | Self-hosted, mdbook lab guide | Josh Jebaraj | Host in your own GCP account, build with provided scripts, nice guided lab workbook |
| GCPGoat (ine-labs) | GCP | Self-hosted, attack and defense manuals | Multiple, ine-labs | Bring your own GCP account, Build with terraform, one module, provides attack and defense manuals |
| Bustakube | Kubernetes | Self-hosted, import VMs | Jay Beale | Vulnerable K8S cluster, Download the VMs to build cluster and import into VMWare, run it |
| Kubernetes Goat | Kubernetes | Self-hosted, multi-cloud, K3S | Madhu Akula | Create and host in your own cloud account (GKE, EKS, AKS) or K3S and attack, has a guided workbook |
| Kubecon NA 2019 CTF | Kubernetes | Self-hosted in GKE | Multiple | Create GCP account, has a guided workbook with two attack and defense scenarios plus bonus challenges |
| Contained.af | Container | Author-hosted Challenge | Jessie Frazelle | A container escape challenge, break out of it and email the author |
| TerraGoat | Terraform | Self-hosted multi-cloud (AWS, Azure, GCP) | Multiple, Bridgecrew | Vulnerable by design terraform repository |
| PurpleCloud | Azure | Research Lab | Jason Ostrom | Using python and terraform, build your own Azure security lab |