Cloud security isn't something you truly learn by reading documentation.
You learn it by building infrastructure, attacking it, detecting the attack, and then fixing what made the attack possible.
That idea became the foundation of my Cloud Security Home Lab.
Why I Built It
Most cloud labs focus on deploying resources.
I wanted something different.
I wanted a lab that helped me answer questions like:
- How do attackers exploit AWS misconfigurations?
- What logs are generated during an attack?
- How would a SOC analyst detect this activity?
- How can Terraform be used to prevent it from happening again?
Rather than treating offensive and defensive security separately, I wanted to connect them into a single workflow.
The Workflow
Every exercise follows the same cycle:
Terraform Infrastructure
│
▼
CloudGoat Attack Scenario
│
▼
CloudTrail / CloudWatch Telemetry
│
▼
Detection Rules
│
▼
Investigation
│
▼
Terraform Remediation
│
▼
Validation
The goal isn't simply to exploit a vulnerable configuration.
The goal is to understand the complete security lifecycle.
What the Lab Contains
The project currently includes:
- AWS infrastructure managed with Terraform
- CloudGoat attack scenarios
- Attack runbooks documenting each exercise
- Detection rules using Sigma, Athena, and CloudWatch
- Terraform-based remediations
- AI-assisted log analysis
- Daily engineering notes documenting each lesson
What CloudGoat Taught Me
One of the biggest lessons from CloudGoat is that many cloud attacks don't involve traditional software vulnerabilities.
Instead, they rely on:
- Overly permissive IAM policies
- Insecure trust relationships
- Publicly exposed cloud resources
- Weak identity configurations
- Privilege escalation through misconfigured permissions
Understanding these attack paths helped me appreciate why IAM is often considered the most critical security boundary in AWS.
Challenges I Faced
The biggest challenge wasn't launching attacks.
It was validating that every attack produced useful telemetry.
I wanted to answer questions like:
- Did CloudTrail capture the event?
- Would CloudWatch generate an alert?
- Could a Sigma rule detect it?
- Would Athena queries surface the activity?
- Would the Terraform remediation actually prevent the same attack?
Another challenge was balancing realism with cost.
I wanted the lab to resemble production environments while still staying within the AWS Free Tier. That meant carefully designing the infrastructure, destroying resources when they were no longer needed, and documenting everything so scenarios could be recreated later.
Finally, I realized that cloud security isn't just about exploiting misconfigurations—it's about understanding the entire lifecycle from infrastructure to detection and finally remediation.
Why AI Is Included
The lab also includes AI-assisted tooling.
However, I intentionally limited its responsibilities.
The AI can:
- Explain security findings
- Summarize cloud logs
- Suggest detection rules
- Assist with log triage
It cannot:
- Modify infrastructure
- Apply Terraform
- Execute attacks
- Make security decisions automatically
Every operational change requires human approval.
I wanted AI to function as a security assistant rather than an autonomous operator.
What I Learned
This project helped me connect several disciplines that are often learned independently:
- Infrastructure as Code
- AWS Security
- IAM
- Cloud Detection Engineering
- Purple Teaming
- Threat Detection
- Defensive Security
- AI-assisted Security Analysis
Instead of seeing attacks and defenses as separate topics, I now think of them as different stages of the same security workflow.
One of the biggest takeaways was that deploying infrastructure is only the beginning.
The real learning starts when you understand how attackers abuse cloud services, how defenders detect those actions, and how to prevent them from happening again.
What's Next?
As I continue expanding the lab, I plan to add:
- More CloudGoat attack scenarios
- Additional AWS services
- Stronger detection engineering content
- More Terraform guardrails
- Automated validation of detections
- More AI-assisted workflows while keeping humans in control of every security decision
The goal isn't just to build another AWS lab.
It's to build a repeatable cloud security learning environment that covers the entire attack and defense lifecycle.
If you're learning cloud security, I highly recommend building a home lab that lets you deploy, attack, detect, investigate, and remediate. Seeing the full lifecycle has been one of the most valuable learning experiences of my vacation.
Top comments (0)