April 11, 2026

AWS Cloud Ransomware Lab

AWS Cloud Ransomware Lab — multi-stage attack simulation based on the Codefinger SSE-C incident.

🛠️ Overview

AWS Cloud Ransomware Lab is modeled on the Codefinger S3 SSE-C ransomware attack observed in January 2025. The goal is not to simulate a CTF challenge but to replicate the decision-making process of a real engagement: enumerating what you have access to, understanding the detection landscape before acting, identifying gaps in the monitoring logic, and defeating layered defenses to reach the final objective.

You start with a website URL. Credentials, infrastructure map, detection rules, and the path to the data, all of it is discovered through enumeration.

🔗 Github Repository

View the full project on Github

🔍 Key Objectives

  • Simulate a real-world cloud intrusion chain from initial recon to data exfiltration
  • Demonstrate how leaked Terraform state exposes an entire AWS infrastructure
  • Practice IAM permission boundary analysis and Lambda source code review
  • Understand how EventBridge-based detection systems work and where they fail
  • Develop detection evasion technique selection based on what monitoring reveals

🔐 Lab Highlights

  • Leaked Terraform state on the website contains IAM credentials and a full infrastructure map
  • 4 EventBridge detection rules monitor for CloudTrail tampering, SSE-C activity, S3 config changes, and Lambda modification
  • Detection rules are readable events:list-rules reveals what is monitored; events:PutRule is unprotected
  • Active lockout system getting caught applies a deny-all policy and re-arms every defense on release
  • Flag-gated final stage a Lambda polls every 2 minutes and only unlocks the backups bucket when all defenses are simultaneously defeated
  • Permission boundary enforced no EC2, no IAM escalation, no region escape

🧰 Tools & Technologies

  • AWS (IAM, S3, Lambda, EventBridge, CloudTrail, DynamoDB)
  • Terraform
  • Python
  • AWS CLI v2
  • Pacu, AWS exploitation framework

🔗 Attack Chain

  1. Website recon: Enumerate the static site to find the leaked Terraform state file
  2. Credential extraction: Parse the state file for IAM access key and infrastructure map
  3. IAM analysis: Enumerate permissions and understand the permission boundary ceiling
  4. Lambda enumeration: List functions, read environment variables, download and analyse source code
  5. Detection reconnaissance: Enumerate EventBridge rules to map what is monitored and identify the gap
  6. Defense evasion: Exploit the unprotected permission to neutralise all detection rules before acting
  7. Defense disablement: Stop CloudTrail and disable S3 versioning without triggering a lockout
  8. Data exfiltration: Access the restricted backups bucket once the flag-checker Lambda unlocks it
  9. Data Encryption: Encrypt the data with a SSE-C key

⚠️ Disclaimer

This lab was created for educational and offensive security training purposes only. All resources deploy into your own AWS account in a sandboxed environment. Never deploy against systems you do not own or have explicit written permission to test. Always run terraform destroy when done.

Table of Contents