With over 90% of organizations using the cloud in some form as of 2021 (Source: O-Reilley), cloud security is growing more important. However, very few cloud-focused training modules are available to introduce the skills required to secure this new frontier. The Damn Vulnerable AWS API is a training platform to guide users through testing and securing an AWS environment. The users will perform a penetration test (pentest) within their own AWS environment after deploying our project’s CloudFormation Templates. The goal is to gain complete system control of the AWS environment by following phases commonly found in a pentest, such as Initial Entry, Privilege Escalation, Persistence, and Lateral Movement. The image to the right shows the typical flow of a cyber attack, which is the general form that our attack paths will follow.

 Our project is to design and implement two attack paths using common AWS services to model real-world systems. We will implement common vulnerabilities or misconfigurations that the user will exploit as they follow the attack paths. Each attack path has a narrative that models the services into a mock business system, such as a hospital or bank network. Additionally, we will create documentation showing the users how to fix the vulnerabilities that are in the attack paths to teach the users how to prevent breaches in the AWS environments they are exploring. Read our technical documents to learn more about our designs and the process.