■■ Hands-on Cloud Security Lab Guide
This guide provides step-by-step **attack and defense labs** for demonstrating Cloud Security concepts.
Designed for B.Tech CSE/IT workshops.
�Lab 1: S3 Bucket Misconfiguration Attack & Defense
1 Step 1: Create a Public S3 Bucket (Attack Setup) - Log in to AWS Console → S3 → Create bucket
`student-data-lab`. - Disable Block Public Access (insecure). - Upload a sample file `secret.txt`. - Copy
bucket URL and open in browser.
2 Step 2: Attack Demonstration - Run: aws s3 ls s3://student-data-lab --no-sign-request aws s3 cp
s3://student-data-lab/secret.txt .
3 Step 3: Defense (Fix Misconfiguration) - Enable Block Public Access. - Add bucket policy to deny
insecure transport. - Enable Encryption and Access Logging. - Re-test access → Forbidden.
�Lab 2: Open Port Attack on EC2 (SSH Brute Force)
1 Step 1: Create Vulnerable EC2 Instance - Launch EC2 instance (Amazon Linux 2). - Security Group:
allow 0.0.0.0/0 for SSH (22). - Share public IP.
2 Step 2: Attack Demonstration - Run from Kali: nmap -p 22 hydra -l ec2-user -P
/usr/share/wordlists/rockyou.txt ssh://
3 Step 3: Defense (Secure VM) - Restrict SSH to trainer’s IP. - Enable MFA and Key-Pair Authentication. -
Install Fail2Ban. - Re-run attack → blocked.
�Lab 3: AWS Access Key Leak & Exploitation
1 Step 1: Create Test IAM User - Create IAM user `dev-user` with AmazonS3FullAccess. - Download
Access Key & Secret Key. - Save to keys.txt.
2 Step 2: Simulate Key Leak - Assume keys leaked to GitHub. - Attacker runs: export
AWS_ACCESS_KEY_ID=XXXX export AWS_SECRET_ACCESS_KEY=YYYY aws s3 ls aws s3 cp
s3://student-data-lab/secret.txt .
3 Step 3: Defense (Key Rotation & Detection) - Delete compromised keys. - Enable AWS Config +
GuardDuty. - Use IAM Roles with STS. - Re-run → Access Denied.
�■ Workshop Wrap-up
- Each lab demonstrates Attack → Defense cycle. - Each lab takes ~45 mins (3 labs = 4.5 hrs). - End with Q&A; +
Career Path discussion (Cloud Security Engineer, Ethical Hacker).
