๐งญ CloudGoat โ Scenario-Based Cloud Lab
Intro: CloudGoat is one of the best labs for people who learn cloud security through small, isolated scenarios instead of one large environment. It is especially good for IAM, metadata, bucket, Lambda, and service-to-service abuse reasoning.
What this page includes
- why CloudGoat is different from AWSGoat;
- how to install it with the CLI or Docker image;
- how to choose scenarios for learning goals;
- how to turn scenario work into review and detection practice.
What it is
CloudGoat is a โvulnerable by designโ cloud deployment tool that creates scenario-based labs. Each scenario is a focused learning environment with a clear objective. That modular design makes it excellent for repeated practice.
Compared with AWSGoat:
- AWSGoat feels more like a vulnerable product environment;
- CloudGoat feels more like a cloud security scenario engine.
Why it is valuable
CloudGoat is very strong when you want to practice:
- IAM privilege escalation;
- secrets exposure and misuse;
- metadata and instance-profile abuse;
- service misconfiguration chains;
- structured cloud enumeration without building a giant environment yourself.
Best fit
| Persona | Fit | Why |
|---|---|---|
| Cloud Security engineer | Very high | Scenario variety makes repetition easy |
| Product Security engineer | High | Good for attack-path thinking and control design |
| AppSec engineer | Medium | Best when you want to understand cloud amplification of app flaws |
| Newcomer | Medium | Good after one simpler lab |
Run model
CloudGoat is usually operated from a local VM or workstation, while the actual vulnerable resources are created in the cloud account.
Useful modes:
- CLI mode via
pipx; - Docker image mode if you want a more contained control environment.
Prerequisites
- disposable AWS account or sandbox subscription/project for the chosen scenario platform;
- Terraform available;
- cloud CLI configured;
- Python and
pipxif you want the native CLI flow; - discipline around teardown.
Quick start โ native CLI
pipx install cloudgoat
cloudgoat config aws
cloudgoat list aws
cloudgoat create iam_enum_basics
This is a good starting pattern because it shows the available scenarios before deployment.
Quick start โ Docker image
docker run -it rhinosecuritylabs/cloudgoat:latest
If you decide to mount your local AWS configuration into the container, do it only in an isolated training environment and treat the container as trusted for the duration of the session.
Example scenario flow
A simple pattern for a first week of study:
Scenario 1 โ IAM enumeration
- create a beginner IAM scenario;
- learn to identify policies, groups, assumable roles, and permission boundaries;
- write one-page notes about what granted the escalation path.
Scenario 2 โ metadata and workload trust
- choose a scenario with instance profile or metadata exposure;
- document how a web issue or exposed access path becomes cloud privilege.
Scenario 3 โ service pivoting
- choose a scenario that moves across services, such as Lambda, S3, SNS, or EC2;
- identify the earliest place where prevention would have been cheaper than detection.
How to study CloudGoat well
Do not rush to โsolveโ the scenario first.
Instead:
- inventory the starting identity and resources;
- predict the likely privilege path before you touch anything;
- verify the path;
- write the hardening and detection notes.
That habit is what makes the lab useful for Product Security.
Good pairings with the rest of the KB
After each scenario, answer these questions:
- which AWS IAM and Role Design principle failed?
- which AWS Provider-Specific Cloud Attack Chains pattern did this resemble?
- which High-Signal Detection Patterns and SIEM Examples would have helped?
- which Threat Modeling Methods and Workflows question would have surfaced the risk earlier?
Common mistakes
- choosing a very large scenario too early;
- skipping the architecture note-taking step;
- forgetting that CloudGoat can manage only the resources it created;
- leaving scenario resources alive after the exercise.
Cleanup
cloudgoat destroy iam_enum_basics
Also verify manually whether you created anything extra during the scenario that CloudGoat does not manage.
Related pages
References
- Official project: https://github.com/RhinoSecurityLabs/cloudgoat
- Scenario documentation in the official repository
---Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.