How to set up a pentesting lab in Amazon Web Services?

Question

How can I add vulnerable VMs in AWS instance of Kali? Do I need to install VMware or Virtualbox on top of the Kali instance in the cloud and then install the vulnerable VMs or is there any other approach?

Answer 1

First, a word of caution: AWS requires that you inform them of any security related test you plan on running to their infrastructure [link].

Second, Kali is not a vulnerable operating system, it is an operating system that comes with pre-installed tools so you can perform security tests on other machines.

And third, an AWS EC2 is already a virtual machine, yes you can install virtualbox in an EC2 but there is hardly ever a need for that.

Now, the type of EC2 machine you need depends on the type of test you want to run, for example if you want to probe a vulnerable web server you can run an EC2 with Ubuntu and install Webgoat or any other intentionally vulnerable web server. If you want to probe the actual server then you need to install the specific version of the operating system that you're targeting.

If you want to run both the attacker and the victim inside AWS then I suggest you create 2 separate EC2 instances, in my opinion its a bit odd to install a virtualization manager inside a virtualized machine

Related question: "Securely building a local pentest lab in a VM"

Update:
Vulnhub gives you an ISO/VMWare/Virtualbox image, you can convert this image to an AWS AMI image and create an EC2 with your custom AMI, I found this tutorial on how to do it.