This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Cloud Security Mentor

Jump to: navigation, search
OWASP Project Header.jpg


With the rise of cloud computing, a lot of companies have moved their workload to the cloud. Cloud allows organizations of all sizes to manage their application lifecycle more effectively and efficiently. Because of its design, Cloud has its own set of unique security challenges. There is already an abundance of documentation and open source projects to raise awareness about cloud-specific security issues. Sometimes, consuming this information may feel like drinking from a firehose. This project aims to teach the cloud security fundamentals in a consolidated and actionable manner. The primary goal of the project is to empower cloud defenders with practical cloud security knowledge. This project provides hands-on cloud security tutorials that the audience can conveniently consume in their public cloud accounts to learn at their own pace. The target audience for this project are system administrators, software developers, and solutions architects.


The project would deliver a code repository which would describe various cloud hardening principles. The repository would also contain an application utility to demonstrate common cloud vulnerabilities and with the recommended fixes. At a high-level, the project would be divided into multiple Cloud resources such as Storage, Compute, etc. Inside these folders, there will be subfolders describing various vulnerabilities applicable to the cloud resource. Inside these subfolders, we will have one folder for each public cloud provider to demonstrate the vulnerability as well as the recommended security fix.

The audience would follow these steps to learn about a cloud vulnerability:

  1. Go to the directory for the vulnerability
  2. Go through the content to learn about the vulnerability and hardening recommendations.
  3. Choose a public cloud service provider from the directory.
  4. Run the vulnerable cloud deployment template to deploy a vulnerable cloud resource
  5. Use the utility to exploit the vulnerability.
  6. Deploy the hardened cloud deployment template to fix the vulnerability.
  7. Rerun the exploit code, this time it would fail.


Apache License 2.0


2019 Q1 & Q2:

  • Seek input on the project proposal from other members of the community
  • Come up with the design and architecture for the technological framework that would be used for authoring cloud security tutorials

2019 Q3:

  • Choose a cloud service, a set of applicable vulnerabilities, and a public cloud service provider for the initial implementation.
  • Complete a PoC for the generic technological framework using a cloud vulnerability identified step #1.

2019 Q4:

  • Improve the framework engineering fundamentals (reliability, performance, logging, etc.) if required
  • Leverage the framework for authoring tutorials for all chosen vulnerabilities from step #1 of the 2019 Q2 plan

2020 Q1:

  • Continue with the 2019 Q4 #2 objective
  • Extend the project to cover other cloud resources under the chosen public cloud provider

Getting Involved

If you would like to contribute, then please get in touch with the project leader.

Project Resources

Installation Package

Source Code

What's New (Revision History)


Wiki Home Page

Issue Tracker

Slide Presentation


Project Leader

Ashish Kurmi

Related Projects


Project Type Files CODE.jpg
Incubator Project Owasp-breakers-small.png
Affero General Public License 3.0