# CloudGoat — Scenario-Based Cloud Lab > **Intro:** CloudGoat is one of the best labs for people who learn cloud security through **small, isolated scenarios** instead of one large environment. It is especially good for IAM, metadata, bucket, Lambda, and service-to-service abuse reasoning. > > **What this page includes** > > * why CloudGoat is different from AWSGoat; > * how to install it with the CLI or Docker image; > * how to choose scenarios for learning goals; > * how to turn scenario work into review and detection practice. ## What it is CloudGoat is a “vulnerable by design” cloud deployment tool that creates scenario-based labs. Each scenario is a focused learning environment with a clear objective. That modular design makes it excellent for repeated practice. Compared with AWSGoat: * **AWSGoat** feels more like a vulnerable product environment; * **CloudGoat** feels more like a cloud security scenario engine. ## Why it is valuable CloudGoat is very strong when you want to practice: * IAM privilege escalation; * secrets exposure and misuse; * metadata and instance-profile abuse; * service misconfiguration chains; * structured cloud enumeration without building a giant environment yourself. ## Best fit | Persona | Fit | Why | | ------------------------- | --------- | ----------------------------------------------------------------- | | Cloud Security engineer | Very high | Scenario variety makes repetition easy | | Product Security engineer | High | Good for attack-path thinking and control design | | AppSec engineer | Medium | Best when you want to understand cloud amplification of app flaws | | Newcomer | Medium | Good after one simpler lab | ## Run model CloudGoat is usually operated from a **local VM or workstation**, while the actual vulnerable resources are created in the cloud account. Useful modes: * **CLI mode** via `pipx`; * **Docker image** mode if you want a more contained control environment. ## Prerequisites * disposable AWS account or sandbox subscription/project for the chosen scenario platform; * Terraform available; * cloud CLI configured; * Python and `pipx` if you want the native CLI flow; * discipline around teardown. ## Quick start — native CLI ```bash pipx install cloudgoat cloudgoat config aws cloudgoat list aws cloudgoat create iam_enum_basics ``` This is a good starting pattern because it shows the available scenarios before deployment. ## Quick start — Docker image ```bash docker run -it rhinosecuritylabs/cloudgoat:latest ``` If you decide to mount your local AWS configuration into the container, do it only in an isolated training environment and treat the container as trusted for the duration of the session. ## Example scenario flow A simple pattern for a first week of study: ### Scenario 1 — IAM enumeration * create a beginner IAM scenario; * learn to identify policies, groups, assumable roles, and permission boundaries; * write one-page notes about what granted the escalation path. ### Scenario 2 — metadata and workload trust * choose a scenario with instance profile or metadata exposure; * document how a web issue or exposed access path becomes cloud privilege. ### Scenario 3 — service pivoting * choose a scenario that moves across services, such as Lambda, S3, SNS, or EC2; * identify the earliest place where prevention would have been cheaper than detection. ## How to study CloudGoat well Do **not** rush to “solve” the scenario first. Instead: 1. inventory the starting identity and resources; 2. predict the likely privilege path before you touch anything; 3. verify the path; 4. write the hardening and detection notes. That habit is what makes the lab useful for Product Security. ## Good pairings with the rest of the KB After each scenario, answer these questions: * which [AWS IAM and Role Design](/cloud-kubernetes-and-infrastructure-security/index/aws-iam-and-role-design.md) principle failed? * which [AWS Provider-Specific Cloud Attack Chains](/attack-paths-testing-detection-and-hardening/index-1/aws-cloud-attack-chains.md) pattern did this resemble? * which [High-Signal Detection Patterns and SIEM Examples](/attack-paths-testing-detection-and-hardening/index/high-signal-detection-patterns-and-siem-examples.md) would have helped? * which [Threat Modeling Methods and Workflows](/application-security-and-secure-sdlc/index/threat-modeling-methods-and-workflows.md) question would have surfaced the risk earlier? ## Common mistakes * choosing a very large scenario too early; * skipping the architecture note-taking step; * forgetting that CloudGoat can manage only the resources it created; * leaving scenario resources alive after the exercise. ## Cleanup ```bash cloudgoat destroy iam_enum_basics ``` Also verify manually whether you created anything extra during the scenario that CloudGoat does not manage. ## Related pages * [AWSGoat](/learning-labs-interview-and-templates/index-2/awsgoat-aws-cloud-lab.md) * [AWS Provider-Specific Cloud Attack Chains](/attack-paths-testing-detection-and-hardening/index-1/aws-cloud-attack-chains.md) * [Cloud Change Review Checklist](/learning-labs-interview-and-templates/index-3/cloud-change-review-checklist.md) ## References * Official project: * Scenario documentation in the official repository \---*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/learning-labs-interview-and-templates/index-2/cloudgoat-cloud-scenarios-lab.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.