Cloud security

Working with CloudGoat: The “vulnerable by design” AWS environment

Mosimilolu Odusanya
December 7, 2020 by
Mosimilolu Odusanya


Many organizations today are leveraging the cloud to transform their business. However, the adoption of cloud technology introduces associated risks, security and privacy concerns. One of these risks are misconfigured cloud environments.

Learn Cloud Security

Learn Cloud Security

Get hands-on experience with cloud service provider security, cloud penetration testing, cloud security architecture and management, and more.

What is CloudGoat?

CloudGoat is a “vulnerable by design” AWS deployment tool designed by Rhino Security Labs. It is used to deploy a vulnerable set of AWS resources. It is designed to teach and test cloud security penetration testing via issues commonly seen in real-life environments.

Each scenario is designed in a Capture the Flag (CTF) style where AWS resources are deployed to an existing environment. In each scenario, you’ll need to explore the AWS environment and its resources, demonstrate understanding of the issue by exploiting the vulnerabilities.

Currently, there are seven (7) scenarios which explores various attack vectors and vulnerabilities such as:

  • IAM permissions
  • Misconfigured EC2 instances, lambda functions and elastic load balancers
  • Misconfigured web applications
  • Evading detection
  • Default settings, configurations and software

The goals when exploiting the CloudGoat environment are:

  • Privilege escalation
  • Logging/monitoring evasion
  • Data and information enumeration
  • Data exfiltration
  • Persistent access

Pacu AWS

Pacu is a comprehensive open-source AWS exploitation framework designed by Rhino Security Labs for penetration testing on AWS environments. Pacu is designed to be the Metasploit equivalent. Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules. Pacu modules were designed to be used against the CloudGoat environment.

Set up CloudGoat

CloudGoat uses a deployment script via Terraform to launch and destroy the resources into an existing AWS environment automatically. I recommend creating a new AWS account (preferably free tier) just for this purpose. Deploy the environment and destroy it as soon as you are done so as to avoid unexpected charges.

Warning #1: CloudGoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy CloudGoat in a production environment or alongside any environment with sensitive AWS resources or data.

Warning #2: CloudGoat can only manage resources it creates. If you create any resources yourself in the course of a scenario, you should remove them manually before running the “destroy” command.


The easiest way to use CloudGoat is to make use of the Docker images. Assuming you have Docker installed, execute the following command:

docker run -it rhinosecuritylabs/cloudgoat:latest

From Source


  • Linux OS (I used Kali Linux)
  • Python 3.6 or a later version
  • Terraform 0.12 or a later version

Clone it from Rhino Security Labs Github page:

git clone ./CloudGoat


cd CloudGoat

pip3 install -r ./core/python/requirements.txt

chmod u+x


IAM user creation

In your existing AWS environment, create an IAM user with “AdministratorAccess” policy attached to it.

Note: It is best practice to use your root user (the account used to create the AWS account) to only create your first IAM user.

Save the access key ID and the secret access key, as you’ll need it to configure AWS CLI.

AWS CLI configuration

Configure the AWS environment variables for the user via AWS CLI.

On Kali Linux, run the following commands:

  1. Create configure the IAM user on AWS CLI:

aws configure –profile <insert profile name here>

Enter the access key and secret access key generated for the IAM user. You can leave the default region name and the output format as empty.

  1. To configure the configuration:
  2. aws sts get-caller-identity –profile <insert profile name here>

    CloudGoat configuration

    On Kali Linux, run the following commands:

    1. Create a CloudGoat profile:

    ./ configure profile <insert profile name here>

    1. Whitelist the IP address of your machine:
    2. ./ configure whitelist --auto

      Running each scenario

      1. To deploy the resources for each scenario on AWS:

      ./ create <insert scenario name>

      1. To destroy the resources for each scenario on AWS:
      2. ./ destroy <insert scenario name>

        Learn Cloud Security

        Learn Cloud Security

        Get hands-on experience with cloud service provider security, cloud penetration testing, cloud security architecture and management, and more.


        CloudGoat is a great learning platform which can be used to hone one’s cloud security skills. It is also great for people with all skill levels, from beginners to experts.



        CloudGoat: The ‘Vulnerable by Design’ AWS Environment, Rhino Security Labs

        Pacu: The Open Source AWS Exploitation Framework, Rhino Security Labs

        AWS account root user, AWS

        Creating your first IAM admin user and group, AWS

        AWS Command Line Interface, AWS

        Environment variables to configure the AWS CLI, AWS

        Pacu, Rhino Security Labs GitHub

        CloudGoat, Rhino Security Labs GitHub

        Mosimilolu Odusanya
        Mosimilolu Odusanya

        Mosimilolu (or 'Simi') works as a full-time cybersecurity consultant, specializing in privacy and infrastructure security. Outside of work, her passions includes watching anime and TV shows and travelling.