Home

Awesome

CdkGoat - Vulnerable AWS CDK Infrastructure

Maintained by Bridgecrew.io slack-community

CdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository. CdkGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

It also shows how Bridgecrew can be used with the AWS CDK to provide CloudFormation template vulnerability scanning at build time, even though no CloudFormation templates exist in the source repository.

Table of Contents

Introduction

CdkGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, or other code scanning methods executed at build / deploy time.

CdkGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.

Important notes

Before you proceed please take a not of these warning:

:warning: CdkGoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy CdkGoat in a production environment or alongside any sensitive AWS resources.

Requirements

This project uses the following software versions, but older versions should generally work.

To prevent vulnerable infrastructure from arriving to production see: checkov, the open source static analysis tool for infrastructure as code.

Getting started

Installation

Clone this repository. Then run the following commands:

npm install -g aws-cdk
python -m venv .env
source .env/bin/activate
pip install -r requirements.txt

Generate and scan a template

Run the following commands to generate a CloudFormation template and scan it with the Bridgecrew CLI:

cdk synth
bridgecrew -f cdk.out/cdkgoat.template.json

Deploy a CloudFormation stack

Run the following command to deploy the infrastructure into your AWS account. Warning: This will create vulnerable resources. Deploy with care into a non-prod account, and consider deleting the stack each time you finish your work. The best use of this capability is to compare these results to a runtime scanner.

cdk deploy

Note that you will probably need to change some resource names, especially S3 bucket names, to be unique.

Destroy a CloudFormation stack

Run the following command to destroy the stack and its resources. You can also delete the stack from the AWS Console.

cdk destroy

Bridgecrew's IaC herd of goats

Contributing

Contribution is welcomed!

We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.

Support

Bridgecrew builds and maintains CdkGoat to encourage the adoption of policy-as-code.

If you need direct support you can contact us at info@bridgecrew.io.

Existing misconfigs (Auto-Generated)

check_idfileresourcecheck_nameguideline
0CKV_AWS_18/cdk.out/cdkgoat.template.jsonAWS::S3::Bucket.mycdkbucketC801BBDDEnsure the S3 bucket has access logging enabledhttps://docs.bridgecrew.io/docs/s3_13-enable-logging
1CKV_AWS_20/cdk.out/cdkgoat.template.jsonAWS::S3::Bucket.mycdkbucketC801BBDDEnsure the S3 bucket does not allow READ permissions to everyonehttps://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone
2CKV_AWS_21/cdk.out/cdkgoat.template.jsonAWS::S3::Bucket.mycdkbucketC801BBDDEnsure the S3 bucket has versioning enabledhttps://docs.bridgecrew.io/docs/s3_16-enable-versioning
3CKV_AWS_53/cdk.out/cdkgoat.template.jsonAWS::S3::Bucket.mycdkbucketC801BBDDEnsure S3 bucket has block public ACLS enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_19
4CKV_AWS_55/cdk.out/cdkgoat.template.jsonAWS::S3::Bucket.mycdkbucketC801BBDDEnsure S3 bucket has ignore public ACLs enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_21
5CKV_AWS_19/cdk.out/cdkgoat.template.jsonAWS::S3::Bucket.mycdkbucketC801BBDDEnsure the S3 bucket has server-side-encryption enabledhttps://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
6CKV_AWS_57/cdk.out/cdkgoat.template.jsonAWS::S3::Bucket.mycdkbucketC801BBDDEnsure the S3 bucket does not allow WRITE permissions to everyonehttps://docs.bridgecrew.io/docs/s3_2-acl-write-permissions-everyone
7CKV_AWS_56/cdk.out/cdkgoat.template.jsonAWS::S3::Bucket.mycdkbucketC801BBDDEnsure S3 bucket has 'restrict_public_bucket' enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_22
8CKV_AWS_54/cdk.out/cdkgoat.template.jsonAWS::S3::Bucket.mycdkbucketC801BBDDEnsure S3 bucket has block public policy enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_20
9CKV_AWS_3/cdk.out/cdkgoat.template.jsonAWS::EC2::Volume.vol100D23AE3Ensure all data stored in the EBS is securely encryptedhttps://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume
10CKV_AWS_24/cdk.out/cdkgoat.template.jsonAWS::EC2::SecurityGroup.sg15CEFF4E3Ensure no security groups allow ingress from 0.0.0.0:0 to port 22https://docs.bridgecrew.io/docs/networking_1-port-security
11CKV_AWS_7/cdk.out/cdkgoat.template.jsonAWS::KMS::Key.kms1045C8EFEEnsure rotation for customer created CMKs is enabledhttps://docs.bridgecrew.io/docs/logging_8

check_idfileresourcecheck_nameguideline
0CKV_SECRET_2/cdk.out/cdkgoat.template.jsond105d6e6096177be6085e7d65fe2b50e94303048AWS Access Keyhttps://docs.bridgecrew.io/docs/git_secrets_2
1CKV_SECRET_2/cdk.out/cdkgoat.template.json1be789d57b93b4368eb001346a983f6feea25a85AWS Access Keyhttps://docs.bridgecrew.io/docs/git_secrets_2