AWS PenTesting Lab With Kali Linux

AWS Pentesting
AWS Pentesting

AWS Pentesting lab with a Kali Linux instance accessible via SSH and Wireguard VPN and with vulnerable instances in a private subnet.

PenTesting laboratory deployed as IaC with Terraform on AWS.


  • Ids only defined for region “eu-west-1”
  • For other regions, kali ami id must be specified and metasploitable3 id (after building it)


  • [2021-06-02] AMI IDs changed to use Kali 2021.2
  • [2021-03-10] Use new Kali version 2021.1


Kali 2021.2 instance (private key is saved into kali.pem)

  • Wireguard VPN service: client file client_vpn.wg
  • Accessible via ssh/scp
  • Public Subnet

Vulnerable machine “Metasploitable” (ami build is public)

  • Private subnet

More vulnerable labs/machines/docker (to-be-done)

Features added

  • User management
  • Automatically create non privileged users in kali instance with rsa
  • Wireguard VPN client file per user
  • Command line audit logging in syslog
  • auditd enabled with sudo_log and users_log keys for auditing user actions (see also ausearch command)
  • ToDO: Forward terminal audit to CloudWatch or an S3 Bucket with write once policy



  • Terraform CLI install guide
  • AWS CLI install guide
  • $PATH configured for AWS CLI & Terraform
  • AWS account and configure credentials via aws cli: aws configure
  • Kali Linux Subscription in AWS Marketplace (version 2020.04)
  • Metasploitable3 AMI image previously built (public AMI available for eu-west-1 region) see


Enable/disable vulnerable instances to be deployed setting 0 or 1 in

variable "deploment-control" {
type = map
default = {
#"instance" = 0 or 1, to disable or enable
"metasploitable3" = 1
"dvca" = 0
description = "Control which EC2 instances are deployed, 0 for none or 1"

2. Use terraform for deploy infrastructure

  • terraform init
  • terraform plan
  • terraform apply -auto-approve


Terraform outputs will show following entries:

  • ssh connection command for kali user (root via sudo)
  • wireguard client file for kali user will be automatically retrieved from kali server
  • scp command to retrieve wireguard client file (just in case defined terraform local-exec command fails)
  • For each of the normal users created in Kali instance
  • Private key file for ssh connection
  • Wireguard client file for VPN connectivity


Either connect to Kali via ssh or wireguard:

  • SSH: (Only command line) Use autogenerated private key (see terraform output)
KALI_IP= # configure kali public ip ssh -i kali.pem -o StrictHostKeyChecking=no -o IdentitiesOnly=yes [email protected]${KALI_IP} 
  • Wireguard: Connect your local kali instance via wireguard (see client_vpn.wg generated file)
KALI_IP= # configure kali public ip
scp -i kali.pem -o StrictHostKeyChecking=no IdentitiesOnly=yes [email protected]${KALI_IP}:/home/kali/client_vpn.wg .


(local_kali)$ sudo apt-get install –y wireguard
(local_kali)$ sudo gedit /etc/wireguard/wg0.conf # copy contents of client_vpn.wg
(local_kali)$ sudo chmod 700 /etc/wireguard/wg0.conf
(local_kali)$ sudo wg-quick up wg0
(local_kali)$ ping # test connectivity with kali instance in AWS


terraform destroy -auto-approve


Download AWS Pentesting Labs

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel

Related Posts