AWS Security Workshop
In this workshop we will deploy a simple ethical hacking application that enables users to explore vunerabilites. The deployment uses AWS CloudFormation to deploy the Damn Vunerable Web Application (DVWA).
See the diagram below for a description of the core infrastrure.
In order to complete this workshop you'll need an AWS Account with access to create AWS IAM, S3, EC2, VPC, CloudTrail, GuardDuty resources. The code and instructions in this workshop assume only one student is using a given AWS account at a time. If you try sharing an account with another student, you may run into naming conflicts for certain resources. You can work around these by appending a unique suffix to the resources that fail to create due to conflicts, but the instructions do not provide details on the changes required to make this work.
Many of the resources you will launch as part of this workshop are eligible for the AWS free tier if your account is less than 12 months old. See the AWS Free Tier page for more details.
We recommend you use the latest version of Chrome to complete this workshop.
During the lab you will generate a self signed SSL certificate so need access to openssl. You can download the tool for Windows, Linux and Mac here.
The application can be launched in the following regions by clicking the launch stack icons below.
|US East (N. Virginia)|
|US East (Ohio)|
|US West (Oregon)|
|Asia Pacific (Tokyo)|
|Asia Pacific (Sydney)|
Record stack parameters
Once the stack has successfully deployed we need capture a couple of variables generated during the setup for use in the modules. From the CloudFormation click the checkbox for the stack "aws-security-workshop" and in the ribbon below select "Output". Here you will find the URL for the DVWA and the bucket name for S3. Record them both.
Use the DVWA url obtained above to access the site by entering it into your browser. Once the page returns click the "Create / Reset database" button at the bottom of the page.
Username: admin Password: password
There are four modules aligned to a common IT security lifecycle model.