Home

Awesome

CNAPPgoat Scenarios Repository

<div align="center"> <img src="https://github.com/ermetic-research/cnappgoat/blob/main/images/logo.png?raw=true" width="40%" alt="CNAPPGoat logo: a smiling goat with a purple cloud background"> </div>

This repository provides a comprehensive collection of Pulumi scenarios utilized by CNAPPgoat, a multi-cloud, vulnerable-by-design environment deployment tool – specifically engineered to facilitate practice arenas for defenders and pentesters.

Scenario Structure

Each scenario in this repository is structured with a Pulumi.yaml file and a main.go file, go.mod and go.sum files should also be included in the scenario.

The Project File: `Pulumi.yaml

The Pulumi.yaml file is a project file in Pulumi and it specifies the runtime, the name of the project, its description and all parameters used by CNAPPgoat.

Here is an example of a Pulumi.yaml file:

name: ciem-aws-iam-external-id-3rd-party-role
runtime: go
description: The scenario creates an IAM role without an external ID parameter.
  This exposes your account to confused deputy attacks.
  To fix, include the condition "sts:ExternalId" in your
  IAM role trust policy during the creation process.
cnappgoat-params:
  description: The scenario involves the creation of an IAM role for a 3rd party without
    an external ID parameter. This flaw escalates the risk of impersonation attacks,
    especially 'confused deputy' scenarios, where rogue actors might access your account
    using the same vendor's services. To mitigate this issue, it's essential to include
    an 'External ID' in the trust policy of the IAM role, thereby adding an extra
    layer of security against potential impersonators.
  friendlyName: IAM Role Without External ID
  id: ciem-aws-iam-external-id-3rd-party-role
  module: ciem
  scenarioType: native
  platform: aws
  config:
    key: value

Let's break down this example to learn about the different fields:

The Pulumi Program

In the same directory as the Pulumi.yaml file, you should put the Pulumi program. The Pulumi program is a program written in the programming language specified in the Pulumi.yaml file. This program is used by Pulumi to deploy the scenario.

Go

As of now, all scenarios in this repository are written in Go. The main.go file is the main program for the scenario. It uses the Pulumi SDK to define resources and their configurations.

In addition, when adding Go scenarios, you should also add a go.mod file and a go.sum file.

Other Best Practices

These program files are just standard Pulumi programs, so you can use the Pulumi documentation when writing them. There are a few conventions that you should follow when writing scenarios for CNAPPgoat:

Testing your scenario

To test your scenario, just put it into your local directory under the proper directory structure, e.g. $HOME/cnappgoat/scenarios/<module>/<platform>/<scenario-name> and run cnappgoat provision --debug <module>-<platform>-<scenario-name> to deploy it to a sandbox environment you own.

Containers and Images

To ensure security, CNAPPgoat scenarios in this repository will only used trusted images/containers or images/containers stored by the Ermetic Research team. If your scenario uses a custom container, please contact the project team.

Contact

To email the project team, contact research+cnappgoat@ermetic.com

Disclaimer