Amazon Web Services (AWS) launched in 2006, over a decade ago. It now has tons of features and capabilities, which unfortunately means mistakes are sometimes made by it’s users. One example is a company called Code Spaces that had it’s root account compromised resulting in all of their AWS environment, including their backups that they kept on AWS, being deleted and therefore destroying the company.

I don’t want things like that to happen to you.

In order to help people learn about some security “gotchas” when using AWS, I made a set of challenges to teach some lessons about what to look out for. This is in the style of challenges like xss-game.appspot.com/ or google-gruyere.appspot.com, but instead of XSS or other web attacks, or your buffer overflows you get with CTF’s, this set of challenges are all related to AWS and devops.

If you don’t want to actually play the flAWS challenge, you can just read all the hints which will take you to the end. There are 6 levels that each introduce a different issue. Throughout the levels and hints I’ve tried to teach a couple of cool tricks, so I think everyone will learn something, whether you’re a pentester, devop, or security defender.

Resources for learning about AWS security mistakes:

• Pivoting in Amazon Clouds by Andres Riancho at Black Hat USA 2014 - He also released a paper and a tool for fingerprinting and exploiting AWS environments named Nimbostratus. He also created provides tools for setting up a target AWS environment you can try attacks against called nimbostratus-target.
• Bringing a Machete to the Amazon by Erik Peterson at Black Hat USA 2014.