top of page

Where to practice ethical hacking on Cloud setup?

Nov 18, 20242 min read

Cloud penetration testing is designed to assess the strengths and weaknesses of the cloud environment/system to improve overall security postures. Cloud penetration testing is an attack simulation performed to find vulnerabilities that can be exploited or to find any misconfigurations in a cloud-based system.

Before moving to practice cloud security or cloud penetration testing, one has to learn the basics of Cloud Computing like what is cloud/cloud computing, types of cloud, service models, cloud service providers, advantages and disadvantages, etc.

So, a cloud-based testing or cloud penetration testing is an approach that uses cloud-based tools to emulate real-world user traffic and environments for testing any type of application, network and infrastructure. Cloud security vulnerabilities involve insecure api’s, supply chain attack, data exfiltration, mitm attack, misconfigured instances, misconfigured cloud storages, poor access management and privileged account access etc.

OWASP Top10 Cloud Security Risks :

R1. Accountability & Data Risk
R2. User Identity Federation
R3. Legal & Regulatory Compliance
R4. Business Continuity & Resiliency
R5. User Privacy & Secondary Usage of Data
R6. Service & Data Integration
R7. Multi-tenancy & Physical Security
R8. Incidence Analysis & Forensics
R9. Infrastructure Security
R10. Non-production Environment Exposure

Helpful resources:

Cloud Computing Tutorials : https://www.javatpoint.com/cloud-computing-tutorial

OWASP Cloud Top10 Security Risks : https://owasp.org/www-pdf-archive/OWASP_Cloud_Top_10.pdf

OWASP Cloud-Native Application Security Top 10 : https://owasp.org/www-project-cloud-native-application-security-top-10/

Cloud Setup :

https://hackingthe.cloud/

https://github.com/Hacking-the-Cloud/hackingthe.cloud

AWS Security Parameter : https://cloudonaut.io/aws-security-primer/

Cloud Vulnerable Environments :

Online:

http://flaws.cloud/

http://flaws2.cloud/

Offline:

AWSGoat : https://github.com/ine-labs/AWSGoat

Cloudgoat : https://github.com/RhinoSecurityLabs/cloudgoat

DVCA : https://github.com/m6a-UdS/dvca

AWS Detonation Lab : https://github.com/sonofagl1tch/AWSDetonationLab

AWS Vulnerable Lambda : https://github.com/torque59/AWS-Vulnerable-Lambda

Cloudgoat Setup and Walkthrough : https://resources.infosecinstitute.com/topic/working-with-cloudgoat-the-vulnerable-by-design-aws-environment/

https://rhinosecuritylabs.com/aws/cloudgoat-walkthrough-rce_web_app/

Youtube :

Cloud Security Explained : https://www.youtube.com/watch?v=gTPjwkXt20k

Cloud Penetration Testing Workshop | SANS : https://www.youtube.com/watch?v=fiSJQfiS21c

AWS Penetration Testing and Lab Setup : https://youtube.com/playlist?list=PLaF-mVL3srXy4qhzqfPozYzIs4Rq-oNKI

Hacking Cloud - AWS(Cloudgoat) : https://www.youtube.com/watch?v=P1Bv6dfB0Vo

AWSGoat Installation and Exploitation : https://www.youtube.com/playlist?list=PLcIpBb4raSZEMosUmY8KpxPWtjKRMSmNx

Recent Posts

How is VAPT different for Cloud than Data centers?

Due to the distinctive characteristics and security considerations of each environment, vulnerability assessment and penetration testing...

bottom of page