AWS - Level 4

15 minute read Published:

This is a walkthrough for level 4 of, a CTF-style cloud security game in which you have to find your way in to an AWS account. This time you find a publicly available web server running on an EC2 machine. Since it hosts a password-protected website there is not much to do with just that. But given the credentials gained from level 3 of this game you can use the AWS API to find out plenty of sensitive information about the machine. The crucial part is the ID of the root volume, which allows to list corresponding VM snapshots. You notice that there is one snapshot with misconfigured sharing permissions, making the snapshot publicly available. Thus you can boot your own EC2 instance, mount a volume based on this snapshot and get past the password protection that way.
In Level 3 of the game we gained initial foothold and can now move deeper into the account. Level 4 now starts at this page. We are being told there is a web server running on an EC2 machine. Before you start, make sure you have the credentials from level 3 ready. You can put the into the “~/.aws/credentials” file as a profile and then reference them in all your API calls. - Level 3

9 minute read Published:

Long time ago I started, a CTF-style cloud security game teaching you about cloud-specific vulnerabilities related to bad configurations. Now I took it up again and here is a walkthrough of level 3. Like before we have a public homepage hosted on S3. This time we find a git repository with IAM credentials in the commit history. Using them we can list the buckets and find the link to the next level.
The previous level 2 illustrated how ACL misconfiguration can accidentally open up S3 buckets to all AWS users anywhere on the world. This was enough to just get the secret we needed. This time it will not be that easy anymore. Again, the starting point is a public website and we can again just list the bucket. But now the secret is hidden. EDIT 11th Nov 2019: changed the description of this level. - Level 2

8 minute read Published:

In a previous post, I covered level 1 of, a CTF-style cloud security game in which you have to find your way in to an AWS account by abusing common misconfigurations. This walkthrough now covers level 2, in which you discover content in another vulnerable bucket. This time, S3 ACLs are the culprit. The level demonstrates one of the most common mistakes in S3 access control configuration.
In level 1, we discovered that the homepage is hosted in an S3 bucket with Amazons static page feature. Since the creator of the bucket configured the permissions such that unauthenticated users could list it, we discovered a secret file named “secret-dd02c7c.html”. It lead us to the start page of level 2. Now, the level description says we have to do something similar, but need our own AWS account this time. - Level 1

6 minute read Published: is a set of CTF-like challenges that teach you common security issues in AWS accounts. This post is the first of a series of walkthroughs for these challenges. It's basically a short writeup on how to solve level 1, followed by a brief explanation of the AWS configuration that leads to this flaw and how to mitigate it. Before reading, go [here]( and try yourself first! ;)
Adoption of cloud computing is rising rapidly. Studies predict it will soon surpass on-premises hosting also for enterprise workloads. Large corporates are hesitant mostly due to security concerns, which are partly of more general nature (“uploading data to the cloud”), but also due to the myriad of cloud security failures you read about every day in the news. For example, many companies misconfigure AWS S3 bucket permissions and leave sensitive data unprotected.