Cloud security

Working with CloudGoat: The “vulnerable by design” AWS environment

December 7, 2020 by Mosimilolu Odusanya

Introduction

Many organizations today are leveraging the cloud to transform their business. However, the adoption of cloud technology introduces associated risks, security and privacy concerns. One of these risks are misconfigured cloud environments.

What is CloudGoat?

CloudGoat is a “vulnerable by design” AWS deployment tool designed by Rhino Security Labs. It is used to deploy a vulnerable set of AWS resources. It is designed to teach and test cloud security penetration testing via issues commonly seen in real-life environments.

Each scenario is designed in a Capture the Flag (CTF) style where AWS resources are deployed to an existing environment. In each scenario, you’ll need to explore the AWS environment and its resources, demonstrate understanding of the issue by exploiting the vulnerabilities.

Currently, there are seven (7) scenarios which explores various attack vectors and vulnerabilities such as:

  • IAM permissions
  • Misconfigured EC2 instances, lambda functions and elastic load balancers
  • Misconfigured web applications
  • Evading detection
  • Default settings, configurations and software

The goals when exploiting the CloudGoat environment are:

  • Privilege escalation
  • Logging/monitoring evasion
  • Data and information enumeration
  • Data exfiltration
  • Persistent access

Pacu AWS

Pacu is a comprehensive open-source AWS exploitation framework designed by Rhino Security Labs for penetration testing on AWS environments. Pacu is designed to be the Metasploit equivalent. Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules. Pacu modules were designed to be used against the CloudGoat environment.

Set up CloudGoat

CloudGoat uses a deployment script via Terraform to launch and destroy the resources into an existing AWS environment automatically. I recommend creating a new AWS account (preferably free tier) just for this purpose. Deploy the environment and destroy it as soon as you are done so as to avoid unexpected charges.

Warning #1: CloudGoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy CloudGoat in a production environment or alongside any environment with sensitive AWS resources or data.

Warning #2: CloudGoat can only manage resources it creates. If you create any resources yourself in the course of a scenario, you should remove them manually before running the “destroy” command.

Docker

The easiest way to use CloudGoat is to make use of the Docker images. Assuming you have Docker installed, execute the following command:

docker run -it rhinosecuritylabs/cloudgoat:latest

From Source

Requirements

  • Linux OS (I used Kali Linux)
  • Python 3.6 or a later version
  • Terraform 0.12 or a later version
  • AWS CLI

Clone it from Rhino Security Labs Github page:

git clone https://github.com/RhinoSecurityLabs/cloudgoat.git ./CloudGoat

Compile

cd CloudGoat

pip3 install -r ./core/python/requirements.txt

chmod u+x cloudgoat.py

Usage

IAM user creation

In your existing AWS environment, create an IAM user with “AdministratorAccess” policy attached to it.

Note: It is best practice to use your root user (the account used to create the AWS account) to only create your first IAM user.

Save the access key ID and the secret access key, as you’ll need it to configure AWS CLI.

AWS CLI configuration

Configure the AWS environment variables for the user via AWS CLI.

On Kali Linux, run the following commands:

  1. Create configure the IAM user on AWS CLI:

aws configure –profile <insert profile name here>

Enter the access key and secret access key generated for the IAM user. You can leave the default region name and the output format as empty.

  1. To configure the configuration:

aws sts get-caller-identity –profile <insert profile name here>

CloudGoat configuration

On Kali Linux, run the following commands:

  1. Create a CloudGoat profile:

./cloudgoat.py configure profile <insert profile name here>

  1. Whitelist the IP address of your machine:

./cloudgoat.py configure whitelist –auto

Running each scenario

  1. To deploy the resources for each scenario on AWS:

./cloudgoat.py create <insert scenario name>

  1. To destroy the resources for each scenario on AWS:

./cloudgoat.py destroy <insert scenario name>

Conclusion

CloudGoat is a great learning platform which can be used to hone one’s cloud security skills. It is also great for people with all skill levels, from beginners to experts.

 

Sources

CloudGoat: The ‘Vulnerable by Design’ AWS Environment, Rhino Security Labs

Pacu: The Open Source AWS Exploitation Framework, Rhino Security Labs

AWS account root user, AWS

Creating your first IAM admin user and group, AWS

AWS Command Line Interface, AWS

Environment variables to configure the AWS CLI, AWS

Pacu, Rhino Security Labs GitHub

CloudGoat, Rhino Security Labs GitHub

Posted: December 7, 2020

Uh-oh!

We've encountered a new and totally unexpected error.

Get instant boot camp pricing

Thank you!

A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.

Articles Author
Mosimilolu Odusanya
View Profile

Mosimilolu (or ‘Simi’) works as a full-time cybersecurity consultant, specializing in privacy and infrastructure security. Outside of work, her passions includes watching anime and TV shows and travelling.