flAWS challenge


RSS feed


Amazon Web Services (AWS) launched in 2006, over a decade ago. It now has tons of features and capabilities, which unfortunately means mistakes are sometimes made by it's users. One example is a company called Code Spaces that had it's root account compromised resulting in all of their AWS environment, including their backups that they kept on AWS, being deleted and therefore destroying the company.

I don't want things like that to happen to you.

In order to help people learn about some security "gotchas" when using AWS, I made a set of challenges to teach some lessons about what to look out for. This is in the style of challenges like xss-game.appspot.com/ or google-gruyere.appspot.com, but instead of XSS or other web attacks, or your buffer overflows you get with CTF's, this set of challenges are all related to AWS and devops.

Try it out at flaws.cloud

If you don't want to actually play the flAWS challenge, you can just read all the hints which will take you to the end. There are 6 levels that each introduce a different issue. Throughout the levels and hints I've tried to teach a couple of cool tricks, so I think everyone will learn something, whether you're a pentester, devop, or security defender.

Resources for learning about AWS security mistakes: