Cloud Security Home Lab

Pick the right environment for your goal

Different goals deserve different environments. Don't overspend on a real cloud account if a local one teaches the same thing.

• Want to learn IAM, services, and the cloud console at depth. You need a real account in your chosen cloud. Use the free tier with the guardrails below.
• Want to practice CTFs (CloudGoat, IAM Vulnerable, etc.). Real account. The CTFs deploy real resources via Terraform — that's the point.
• Want to learn AWS APIs and SDKs. LocalStack gets you 90% of the way for free.
• Want to practice Kubernetes security. Local kind / minikube / k3s. No cloud needed for the fundamentals; only spin up a managed cluster (EKS/AKS/GKE) when you specifically need cloud-IAM-to-cluster integration.
• Want to study container and image security. Local Docker. Trivy, Grype, Dockle all run against local images.
• Want to build detection content. Local SIEM (Wazuh, Elastic, Matano in a free-tier account) plus a small cloud account generating real CloudTrail.
• Want to learn IaC scanning. Local. Checkov, KICS, Terrascan, tfsec all scan files — no deploy required.

Cost guardrails (do this first, before deploying anything)

Set these up the day you create the account. Don't wait until you "need" them — by then it's too late.

1. Use a separate billing email and a low-limit prepaid card if possible

Some banks issue virtual cards with a hard monthly cap (privacy.com, Revolut disposable cards, Capital One virtual cards). $50 cap on the card is a hard backstop the cloud provider can't override.

2. Enable MFA on the root account immediately

Hardware key or TOTP, not SMS. Store the recovery codes in a password manager. The root account is your billing identity — protect it accordingly.

3. Set three budget alerts: $1, $5, and your monthly cap

• AWS: AWS Budgets → Cost budget. Set monthly amount, alert at 80% actual and 100% forecasted, send to your email.
• Azure: Cost Management → Budgets. Same pattern.
• GCP: Billing → Budgets & alerts. Same pattern.

The $1 alert is a smoke detector — anything billable triggers it and you learn fast what costs money.

4. Add a CloudWatch / Azure Monitor / Cloud Monitoring billing alarm

Backup to the budget alert. Different code path; if one misfires the other catches it.

5. Restrict regions to one

You don't need workloads in 17 regions. AWS SCP / Azure Policy / GCP Org Policy can restrict to a single region. Forgotten resources in unused regions are a classic billing-surprise pattern.

6. Use SCPs / Azure Policy / Org Policy to deny expensive instance types

Deny anything bigger than t3.medium / B2s / e2-medium. You don't need a p4d for learning. This is also good practice — production environments use these guardrails too.

7. Set up auto-shutdown for compute

• AWS: Instance Scheduler (CDK template available), or a Lambda + EventBridge rule that stops untagged instances nightly.
• Azure: built-in auto-shutdown on VMs (Resource → Operations → Auto-shutdown).
• GCP: Cloud Scheduler + Cloud Functions to stop instances nightly.

8. Tag everything you create with a "lab" tag

So a single nightly cleanup job can find and stop / delete anything you forgot. Owner=lab is enough.

9. Enable Cost Anomaly Detection (AWS) / equivalent

It catches "your bill suddenly jumped 10x" before the monthly billing cycle ends. Free, opt-in, instant value.

AWS lab setup

AWS has the deepest learning material and the most CTFs target it. The free tier gets you 12 months of useful practice with the right guardrails.

Free-tier highlights worth knowing

• EC2 t2.micro / t3.micro: 750 hours/month for 12 months. Enough to keep one VM running 24/7.
• S3: 5 GB standard storage, 20K GET, 2K PUT requests/month. Plenty for learning.
• Lambda: 1M requests + 400K GB-seconds always free. You'll never bust this learning.
• CloudWatch logs: 5 GB ingest, 5 GB storage. Watch this — verbose CloudTrail can blow past it.
• GuardDuty: 30-day free trial. After that, ~$1-3/month for a quiet lab account. Worth keeping on.
• Always free: DynamoDB 25 GB, SNS 1M publishes, CloudTrail (one trail of management events).

30-minute starter setup

1. Create the account with a separate email.
2. Enable MFA on root, then never sign in as root again. Lock the credentials in a password manager.
3. Create an admin user in IAM Identity Center (or a regular IAM user if you don't want SSO yet). MFA on it too.
4. Set the three budget alerts ($1 / $5 / monthly cap).
5. Enable Cost Anomaly Detection.
6. Enable CloudTrail with a single trail to S3.
7. Turn on GuardDuty (free trial; you'll see findings from your own lab activity).
8. Enable IAM Access Analyzer.
9. Block public access on S3 at the account level.
10. Restrict to one region via your IAM policy.

Things to watch for in the bill

The classic surprise-bill culprits: NAT Gateway (~$33/month minimum), forgotten RDS instances (~$15+/month), public IPv4 addresses ($3.65/month each since 2024), unattached EBS volumes, abandoned ElastiCache clusters. Tear down any of these as soon as you're done with them.

Azure lab setup

Strongest cloud for identity-focused learning (Entra ID is the heart of most enterprise environments). The free account gives $200 credit for 30 days plus permanently-free services.

Free-tier highlights

• $200 credit, 30 days. Plenty for a learning sprint.
• B1S Linux VM: 750 hours/month for 12 months.
• Blob storage: 5 GB LRS for 12 months.
• Always free: Functions 1M requests, App Service 10 web apps, Cosmos DB 25 GB, Application Gateway free tier (limited), Microsoft Defender for Cloud free tier (foundational CSPM).
• Entra ID: free tier includes 50K stored objects and basic identity features. Plenty for IAM learning.

30-minute starter setup

1. Create the account, set up MFA on the global admin from minute one.
2. Create a separate non-admin user for daily work. Use Privileged Identity Management (PIM) to elevate when needed.
3. Set budget in Cost Management → Budgets. $0 is allowed; alert at any threshold.
4. Enable Microsoft Defender for Cloud (free tier covers CSPM basics).
5. Enable Diagnostic Settings on the subscription to ship Activity Log to a Log Analytics workspace.
6. Restrict resource creation to one region via Azure Policy.
7. Use the built-in VM auto-shutdown when creating any compute.

Watch the bill for

Standard Load Balancer (~$18/month), unused public IPs, Log Analytics ingestion (verbose Activity logs add up fast), forgotten Azure Kubernetes Service clusters, Application Gateway above the free tier.

GCP lab setup

Best "always free" tier of the three. Strong for Kubernetes (GKE Autopilot) and data security learning.

Free-tier highlights

• $300 credit, 90 days.
• e2-micro VM: 1 instance always free in select US regions.
• Cloud Storage: 5 GB-month always free.
• Cloud Functions: 2M invocations always free.
• BigQuery: 1 TB queries + 10 GB storage always free.
• Security Command Center Standard: included free.

30-minute starter setup

1. Create a GCP account; set up MFA on the owner identity.
2. Create a separate IAM principal for daily work; assign minimum-needed roles.
3. Create a billing account with a budget and alert thresholds ($1, $20, monthly cap).
4. Create a separate project for each learning topic. Easy to delete and start over.
5. Enable Security Command Center Standard on the org.
6. Enable Cloud Audit Logs (admin activity is enabled by default; consider data access logs for selected services).
7. Use Org Policy to restrict resource locations to one region.
8. Set up the budget alerts to also trigger Pub/Sub → Cloud Function for hard cap actions if you want belt-and-suspenders.

Watch the bill for

GKE control plane (free for one zonal cluster, billable beyond), Cloud SQL instances, persistent disks attached to deleted VMs, Cloud NAT, external IPs.

Kubernetes lab options

You can learn 90% of Kubernetes security locally for free. Only pay for managed clusters when you need cloud-IAM-to-cluster integration.

• kind: Kubernetes in Docker. Multi-node clusters in seconds. Great for testing network policies, admission controllers, RBAC.
• minikube: Single-node local cluster. Slightly more polished UX than kind.
• k3s: Production-grade lightweight distro; runs on a Raspberry Pi.
• Managed clusters when you need them: GKE Autopilot is cheapest for short bursts, EKS auto-mode and AKS both bill the control plane (~$0.10/hour for EKS; AKS free tier exists for one cluster). Always: spin up, learn, tear down same day.

For Kubernetes security CTFs (Kubernetes Goat, kube-bench, etc.), local kind or minikube is enough. Move to managed only when the lab specifically requires it.

Local-only options (no credit card needed)

If putting a credit card on a cloud account is a non-starter, you can still build serious skills locally. You won't get authentic IAM experience, but you'll cover most of the rest.

• LocalStack: emulates 80+ AWS services locally. Free Community edition covers most of what you need to practice the AWS API and SDKs. Pro edition adds more services.
• Azurite: Microsoft's local emulator for Azure Storage. Limited surface but good for storage learning.
• Local Kubernetes: kind / minikube / k3s as above.
• Vulnerable-by-design web apps: DVWA, Juice Shop, WebGoat. Run in Docker locally for AppSec practice.
• IaC scanning: Checkov, KICS, Terrascan, tfsec all run on your laptop against any Terraform / CloudFormation / ARM / Bicep file. The CTF here is "find the issues in this real production-shaped repo."
• Container security: Trivy, Grype, Dockle, Hadolint, Syft. All local-only. Pull a popular image and audit it.
• Local SIEM lab: Sigma rules + Mordor/Security Datasets + Wazuh or local Elastic stack. Practice writing detections on real attack telemetry without ever leaving your laptop.
• Browser-based CTFs: flaws.cloud and flaws2.cloud require no account at all — entirely browser-based AWS challenges.

The 10 most expensive things to leave running by accident

The classic four-figure-bill horror stories almost all involve one of these. Tag them aggressively, set alarms, tear them down at end of session.

1. NAT Gateway (AWS) — ~$33/month just to exist, plus data transfer. Number one surprise-bill cause.
2. Application Load Balancer / Standard Load Balancer — $16-22/month each.
3. RDS / Cloud SQL / Azure SQL Database — even t3.micro RDS is ~$15/month; bigger sizes go fast.
4. EKS / AKS / GKE control plane — varies, but easy to forget. Tear down when not in use.
5. Public IPv4 addresses (AWS) — $3.65/month each since 2024. Add up if you spin up many things.
6. Unattached EBS / disk volumes — they keep billing after you terminate the VM.
7. Snapshots and AMIs — cheap individually, expensive in aggregate over time.
8. VPN / ExpressRoute / Cloud Interconnect — billed by the hour, easy to forget.
9. Sagemaker / Vertex AI / Azure ML notebooks — GPU-backed instances are hundreds of dollars per day.
10. S3 / Blob / GCS in the wrong storage class — usually small, occasionally terrible (Glacier early-deletion fees, frequent reads on archive class).

Lab tooling to install once

The standard kit. Install these on day one and you'll use them in every learning session.

• Cloud CLIs: aws, az, gcloud. Configure with named profiles for each account.
• IaC: Terraform (or OpenTofu) and at least one provider's IaC (CDK, Bicep, Pulumi).
• Posture scanning: Prowler (multi-cloud), ScoutSuite (multi-cloud), Steampipe (SQL across cloud APIs).
• IaC scanning: Checkov, KICS, Trivy (config mode).
• Offensive (lab use only): Pacu (AWS), ROADtools (Entra), Stratus Red Team (multi-cloud purple-team).
• Container security: Trivy, Grype, Dockle.
• K8s: kubectl, kind/minikube, kubectl-neat, kube-bench, kubescape.
• Secret scanning: gitleaks, trufflehog. Run as pre-commit hooks in your lab repos.

What to actually do in your lab

A lab without exercises is a hobby. Pick from these in roughly the order they appear:

1. Build a misconfiguration on purpose, then find it with Prowler. Public S3 bucket, overprivileged IAM role, security group open to 0.0.0.0/0. Watch the tooling catch it.
2. Walk every CloudGoat scenario. Publish your kill chain.
3. Do flaws.cloud and flaws2.cloud end-to-end. Free, browser-only, foundational.
4. Build a multi-account AWS Organization with SCPs. Even with one user, this is real production-shape work.
5. Wire CloudTrail / Activity Log / Audit Logs into a SIEM you control. Generate events and write detections for them.
6. Run Stratus Red Team against your account. Confirm GuardDuty / Defender / SCC catches the techniques. Build detections for what they don't.
7. Recreate a real breach. Pick one from the breach kill chains. Build the vulnerable setup, exploit it end-to-end, then build the controls and detections that close it.

For more, see the full cloud security CTF directory.

Common mistakes

• Skipping the budget alerts because "I'll only spend a few dollars." Famous last words. Set them on day one.
• Using the root account for daily work. Even in a lab. Build the habit now.
• Spinning up a managed Kubernetes cluster to learn pod security. kind on your laptop teaches the same lesson, costs nothing.
• Not tearing down at end of session. The bill comes from forgotten resources, not active learning. Build the terraform destroy reflex.
• Trying to learn three clouds simultaneously in one lab. Pick one. Add the others after you're competent in the first.
• Treating GuardDuty findings as garbage to ignore. Every finding is a learning opportunity — a real attack pattern in a controlled environment. Read each one.
• Storing real credentials in lab repos. Even labs leak. Use a separate IAM user, scope its permissions tightly, never commit a key.