Home

Awesome

Cfngoat - Vulnerable Cloudformation Template

Maintained by Bridgecrew.io Infrastructure Tests CIS AWS PCI-DSS SOC2 ISO NIST-800-53 slack-community

Cfngoat is one of Bridgecrew's "Vulnerable by Design" Infrastructure as Code repositories, a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

Cfngoat

It's an ideal companion to testing build time Infrastructure as Code scanning tools, such as Bridgecrew & Checkov

Table of Contents

Introduction

Cfngoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, pre-commit hooks or other code scanning methods.

Cfngoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.

Installation

aws cloudformation create-stack --stack-name cfngoat --template-body file://cfngoat.yaml --region us-east-1 --parameters ParameterKey=Password,ParameterValue=MyPassword10 --capabilities CAPABILITY_NAMED_IAM

Expect provisioning to take at least 5 minutes.

Multiple stacks can be deployed simultaniously by changing the --stack-name and adding an Environment parameter:

aws cloudformation create-stack --stack-name cfngoat2 --template-body file://cfngoat.yaml --region us-east-1 --parameters ParameterKey=Password,ParameterValue=MyPassword10 ParameterKey=Environment,ParameterValue=dev2 --capabilities CAPABILITY_NAMED_IAM

Important notes

Before you proceed please take a not of these warning:

:warning: Cfngoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy Cfngoat in a production environment or alongside any sensitive AWS resources.

Requirements

Bridgecrew's IaC herd of goats

Contributing

Contribution is welcomed!

We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.

Support

Bridgecrew builds and maintains Cfngoat to encourage the adoption of policy-as-code.

If you need direct support you can contact us at info@bridgecrew.io.

Existing vulnerabilities (Auto-Generated)

check_idfileresourcecheck_nameguideline
0CKV_AWS_46/cfngoat.yamlAWS::EC2::Instance.EC2InstanceEnsure no hard-coded secrets exist in EC2 user datahttps://docs.bridgecrew.io/docs/bc_aws_secrets_1
1CKV_AWS_3/cfngoat.yamlAWS::EC2::Volume.WebHostStorageEnsure all data stored in the EBS is securely encryptedhttps://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume
2CKV_AWS_24/cfngoat.yamlAWS::EC2::SecurityGroup.WebNodeSGEnsure no security groups allow ingress from 0.0.0.0:0 to port 22https://docs.bridgecrew.io/docs/networking_1-port-security
3CKV_AWS_23/cfngoat.yamlAWS::EC2::SecurityGroup.WebNodeSGEnsure every security groups rule has a descriptionhttps://docs.bridgecrew.io/docs/networking_31
4CKV_AWS_18/cfngoat.yamlAWS::S3::Bucket.FlowBucketEnsure the S3 bucket has access logging enabledhttps://docs.bridgecrew.io/docs/s3_13-enable-logging
5CKV_AWS_21/cfngoat.yamlAWS::S3::Bucket.FlowBucketEnsure the S3 bucket has versioning enabledhttps://docs.bridgecrew.io/docs/s3_16-enable-versioning
6CKV_AWS_53/cfngoat.yamlAWS::S3::Bucket.FlowBucketEnsure S3 bucket has block public ACLS enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_19
7CKV_AWS_55/cfngoat.yamlAWS::S3::Bucket.FlowBucketEnsure S3 bucket has ignore public ACLs enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_21
8CKV_AWS_19/cfngoat.yamlAWS::S3::Bucket.FlowBucketEnsure the S3 bucket has server-side-encryption enabledhttps://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
9CKV_AWS_56/cfngoat.yamlAWS::S3::Bucket.FlowBucketEnsure S3 bucket has 'restrict_public_bucket' enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_22
10CKV_AWS_54/cfngoat.yamlAWS::S3::Bucket.FlowBucketEnsure S3 bucket has block public policy enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_20
11CKV_AWS_107/cfngoat.yamlAWS::IAM::Policy.UserPolicyEnsure IAM policies does not allow credentials exposurehttps://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure
12CKV_AWS_111/cfngoat.yamlAWS::IAM::Policy.UserPolicyEnsure IAM policies does not allow write access without constraintshttps://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint
13CKV_AWS_108/cfngoat.yamlAWS::IAM::Policy.UserPolicyEnsure IAM policies does not allow data exfiltrationhttps://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration
14CKV_AWS_109/cfngoat.yamlAWS::IAM::Policy.UserPolicyEnsure IAM policies does not allow permissions management without constraintshttps://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint
15CKV_AWS_40/cfngoat.yamlAWS::IAM::Policy.UserPolicyEnsure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)https://docs.bridgecrew.io/docs/iam_16-iam-policy-privileges-1
16CKV_AWS_110/cfngoat.yamlAWS::IAM::Policy.UserPolicyEnsure IAM policies does not allow privilege escalationhttps://docs.bridgecrew.io/docs/ensure-iam-policies-does-not-allow-privilege-escalation
17CKV_AWS_7/cfngoat.yamlAWS::KMS::Key.LogsKeyEnsure rotation for customer created CMKs is enabledhttps://docs.bridgecrew.io/docs/logging_8
18CKV_AWS_16/cfngoat.yamlAWS::RDS::DBInstance.DefaultDBEnsure all data stored in the RDS is securely encrypted at resthttps://docs.bridgecrew.io/docs/general_4
19CKV_AWS_157/cfngoat.yamlAWS::RDS::DBInstance.DefaultDBEnsure that RDS instances have Multi-AZ enabledhttps://docs.bridgecrew.io/docs/general_73
20CKV_AWS_17/cfngoat.yamlAWS::RDS::DBInstance.DefaultDBEnsure all data stored in RDS is not publicly accessiblehttps://docs.bridgecrew.io/docs/public_2
21CKV_AWS_23/cfngoat.yamlAWS::EC2::SecurityGroup.DefaultSGEnsure every security groups rule has a descriptionhttps://docs.bridgecrew.io/docs/networking_31
22CKV_AWS_107/cfngoat.yamlAWS::IAM::Policy.EC2PolicyEnsure IAM policies does not allow credentials exposurehttps://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure
23CKV_AWS_111/cfngoat.yamlAWS::IAM::Policy.EC2PolicyEnsure IAM policies does not allow write access without constraintshttps://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint
24CKV_AWS_108/cfngoat.yamlAWS::IAM::Policy.EC2PolicyEnsure IAM policies does not allow data exfiltrationhttps://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration
25CKV_AWS_109/cfngoat.yamlAWS::IAM::Policy.EC2PolicyEnsure IAM policies does not allow permissions management without constraintshttps://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint
26CKV_AWS_116/cfngoat.yamlAWS::Lambda::Function.AnalysisLambdaEnsure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
27CKV_AWS_173/cfngoat.yamlAWS::Lambda::Function.AnalysisLambdaCheck encryption settings for Lambda environmental variablehttps://docs.bridgecrew.io/docs/bc_aws_serverless_5
28CKV_AWS_45/cfngoat.yamlAWS::Lambda::Function.AnalysisLambdaEnsure no hard-coded secrets exist in lambda environmenthttps://docs.bridgecrew.io/docs/bc_aws_secrets_3
29CKV_AWS_18/cfngoat.yamlAWS::S3::Bucket.DataBucketEnsure the S3 bucket has access logging enabledhttps://docs.bridgecrew.io/docs/s3_13-enable-logging
30CKV_AWS_20/cfngoat.yamlAWS::S3::Bucket.DataBucketEnsure the S3 bucket does not allow READ permissions to everyonehttps://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone
31CKV_AWS_21/cfngoat.yamlAWS::S3::Bucket.DataBucketEnsure the S3 bucket has versioning enabledhttps://docs.bridgecrew.io/docs/s3_16-enable-versioning
32CKV_AWS_53/cfngoat.yamlAWS::S3::Bucket.DataBucketEnsure S3 bucket has block public ACLS enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_19
33CKV_AWS_55/cfngoat.yamlAWS::S3::Bucket.DataBucketEnsure S3 bucket has ignore public ACLs enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_21
34CKV_AWS_19/cfngoat.yamlAWS::S3::Bucket.DataBucketEnsure the S3 bucket has server-side-encryption enabledhttps://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
35CKV_AWS_56/cfngoat.yamlAWS::S3::Bucket.DataBucketEnsure S3 bucket has 'restrict_public_bucket' enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_22
36CKV_AWS_54/cfngoat.yamlAWS::S3::Bucket.DataBucketEnsure S3 bucket has block public policy enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_20
37CKV_AWS_18/cfngoat.yamlAWS::S3::Bucket.FinancialsBucketEnsure the S3 bucket has access logging enabledhttps://docs.bridgecrew.io/docs/s3_13-enable-logging
38CKV_AWS_21/cfngoat.yamlAWS::S3::Bucket.FinancialsBucketEnsure the S3 bucket has versioning enabledhttps://docs.bridgecrew.io/docs/s3_16-enable-versioning
39CKV_AWS_53/cfngoat.yamlAWS::S3::Bucket.FinancialsBucketEnsure S3 bucket has block public ACLS enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_19
40CKV_AWS_55/cfngoat.yamlAWS::S3::Bucket.FinancialsBucketEnsure S3 bucket has ignore public ACLs enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_21
41CKV_AWS_19/cfngoat.yamlAWS::S3::Bucket.FinancialsBucketEnsure the S3 bucket has server-side-encryption enabledhttps://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
42CKV_AWS_56/cfngoat.yamlAWS::S3::Bucket.FinancialsBucketEnsure S3 bucket has 'restrict_public_bucket' enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_22
43CKV_AWS_54/cfngoat.yamlAWS::S3::Bucket.FinancialsBucketEnsure S3 bucket has block public policy enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_20
44CKV_AWS_18/cfngoat.yamlAWS::S3::Bucket.OperationsBucketEnsure the S3 bucket has access logging enabledhttps://docs.bridgecrew.io/docs/s3_13-enable-logging
45CKV_AWS_53/cfngoat.yamlAWS::S3::Bucket.OperationsBucketEnsure S3 bucket has block public ACLS enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_19
46CKV_AWS_55/cfngoat.yamlAWS::S3::Bucket.OperationsBucketEnsure S3 bucket has ignore public ACLs enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_21
47CKV_AWS_19/cfngoat.yamlAWS::S3::Bucket.OperationsBucketEnsure the S3 bucket has server-side-encryption enabledhttps://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
48CKV_AWS_56/cfngoat.yamlAWS::S3::Bucket.OperationsBucketEnsure S3 bucket has 'restrict_public_bucket' enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_22
49CKV_AWS_54/cfngoat.yamlAWS::S3::Bucket.OperationsBucketEnsure S3 bucket has block public policy enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_20
50CKV_AWS_53/cfngoat.yamlAWS::S3::Bucket.DataScienceBucketEnsure S3 bucket has block public ACLS enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_19
51CKV_AWS_55/cfngoat.yamlAWS::S3::Bucket.DataScienceBucketEnsure S3 bucket has ignore public ACLs enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_21
52CKV_AWS_19/cfngoat.yamlAWS::S3::Bucket.DataScienceBucketEnsure the S3 bucket has server-side-encryption enabledhttps://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
53CKV_AWS_56/cfngoat.yamlAWS::S3::Bucket.DataScienceBucketEnsure S3 bucket has 'restrict_public_bucket' enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_22
54CKV_AWS_54/cfngoat.yamlAWS::S3::Bucket.DataScienceBucketEnsure S3 bucket has block public policy enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_20
55CKV_AWS_18/cfngoat.yamlAWS::S3::Bucket.LogsBucketEnsure the S3 bucket has access logging enabledhttps://docs.bridgecrew.io/docs/s3_13-enable-logging
56CKV_AWS_53/cfngoat.yamlAWS::S3::Bucket.LogsBucketEnsure S3 bucket has block public ACLS enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_19
57CKV_AWS_55/cfngoat.yamlAWS::S3::Bucket.LogsBucketEnsure S3 bucket has ignore public ACLs enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_21
58CKV_AWS_56/cfngoat.yamlAWS::S3::Bucket.LogsBucketEnsure S3 bucket has 'restrict_public_bucket' enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_22
59CKV_AWS_54/cfngoat.yamlAWS::S3::Bucket.LogsBucketEnsure S3 bucket has block public policy enabledhttps://docs.bridgecrew.io/docs/bc_aws_s3_20
60CKV_AWS_111/cfngoat.yamlAWS::IAM::Role.CleanupRoleEnsure IAM policies does not allow write access without constraintshttps://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint
61CKV_AWS_108/cfngoat.yamlAWS::IAM::Role.CleanupRoleEnsure IAM policies does not allow data exfiltrationhttps://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration
62CKV_AWS_116/cfngoat.yamlAWS::Lambda::Function.CleanBucketFunctionEnsure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
63CKV_AWS_58/eks.yamlAWS::EKS::Cluster.EKSClusterEnsure EKS Cluster has Secrets Encryption Enabledhttps://docs.bridgecrew.io/docs/bc_aws_kubernetes_3

check_idfileresourcecheck_nameguideline
0CKV_SECRET_2/cfngoat.yaml25910f981e85ca04baf359199dd0bd4a3ae738b6AWS Access Keyhttps://docs.bridgecrew.io/docs/git_secrets_2
1CKV_SECRET_6/cfngoat.yamld70eab08607a4d05faa2d0d6647206599e9abc65Base64 High Entropy Stringhttps://docs.bridgecrew.io/docs/git_secrets_6