Working with CloudGoat: The “vulnerable by design” AWS environment
Many organizations today are leveraging the cloud to transform their business. However, the adoption of cloud technology introduces associated risks, security and privacy concerns. One of these risks are misconfigured cloud environments.
What is CloudGoat?
CloudGoat is a “vulnerable by design” AWS deployment tool designed by Rhino Security Labs. It is used to deploy a vulnerable set of AWS resources. It is designed to teach and test cloud security penetration testing via issues commonly seen in real-life environments.
Each scenario is designed in a Capture the Flag (CTF) style where AWS resources are deployed to an existing environment. In each scenario, you’ll need to explore the AWS environment and its resources, demonstrate understanding of the issue by exploiting the vulnerabilities.
Currently, there are seven (7) scenarios which explores various attack vectors and vulnerabilities such as:
- IAM permissions
- Misconfigured EC2 instances, lambda functions and elastic load balancers
- Misconfigured web applications
- Evading detection
- Default settings, configurations and software
The goals when exploiting the CloudGoat environment are:
- Privilege escalation
- Logging/monitoring evasion
- Data and information enumeration
- Data exfiltration
- Persistent access
Pacu is a comprehensive open-source AWS exploitation framework designed by Rhino Security Labs for penetration testing on AWS environments. Pacu is designed to be the Metasploit equivalent. Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules. Pacu modules were designed to be used against the CloudGoat environment.
Set up CloudGoat
CloudGoat uses a deployment script via Terraform to launch and destroy the resources into an existing AWS environment automatically. I recommend creating a new AWS account (preferably free tier) just for this purpose. Deploy the environment and destroy it as soon as you are done so as to avoid unexpected charges.
Warning #1: CloudGoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy CloudGoat in a production environment or alongside any environment with sensitive AWS resources or data.
Warning #2: CloudGoat can only manage resources it creates. If you create any resources yourself in the course of a scenario, you should remove them manually before running the “destroy” command.
The easiest way to use CloudGoat is to make use of the Docker images. Assuming you have Docker installed, execute the following command:
docker run -it rhinosecuritylabs/cloudgoat:latest
- Linux OS (I used Kali Linux)
- Python 3.6 or a later version
- Terraform 0.12 or a later version
- AWS CLI
Clone it from Rhino Security Labs Github page:
git clone https://github.com/RhinoSecurityLabs/cloudgoat.git ./CloudGoat
pip3 install -r ./core/python/requirements.txt
chmod u+x cloudgoat.py
IAM user creation
In your existing AWS environment, create an IAM user with “AdministratorAccess” policy attached to it.
Note: It is best practice to use your root user (the account used to create the AWS account) to only create your first IAM user.
Save the access key ID and the secret access key, as you’ll need it to configure AWS CLI.
AWS CLI configuration
Configure the AWS environment variables for the user via AWS CLI.
On Kali Linux, run the following commands:
- Create configure the IAM user on AWS CLI:
aws configure –profile <insert profile name here>
Enter the access key and secret access key generated for the IAM user. You can leave the default region name and the output format as empty.
- To configure the configuration:
aws sts get-caller-identity –profile <insert profile name here>
On Kali Linux, run the following commands:
- Create a CloudGoat profile:
./cloudgoat.py configure profile <insert profile name here>
- Whitelist the IP address of your machine:
./cloudgoat.py configure whitelist –auto
Running each scenario
- To deploy the resources for each scenario on AWS:
./cloudgoat.py create <insert scenario name>
- To destroy the resources for each scenario on AWS:
./cloudgoat.py destroy <insert scenario name>
CloudGoat is a great learning platform which can be used to hone one’s cloud security skills. It is also great for people with all skill levels, from beginners to experts.
CloudGoat: The ‘Vulnerable by Design’ AWS Environment, Rhino Security Labs
Pacu: The Open Source AWS Exploitation Framework, Rhino Security Labs
Pacu, Rhino Security Labs GitHub
CloudGoat, Rhino Security Labs GitHub