Working with CloudGoat: The “vulnerable by design” AWS environment
Introduction
Many organizations today are leveraging the cloud to transform their business. However, the adoption of cloud technology introduces associated risks, security and privacy concerns. One of these risks are misconfigured cloud environments.
Learn Cloud Security
What is CloudGoat?
CloudGoat is a “vulnerable by design” AWS deployment tool designed by Rhino Security Labs. It is used to deploy a vulnerable set of AWS resources. It is designed to teach and test cloud security penetration testing via issues commonly seen in real-life environments.
Each scenario is designed in a Capture the Flag (CTF) style where AWS resources are deployed to an existing environment. In each scenario, you’ll need to explore the AWS environment and its resources, demonstrate understanding of the issue by exploiting the vulnerabilities.
Currently, there are seven (7) scenarios which explores various attack vectors and vulnerabilities such as:
- IAM permissions
- Misconfigured EC2 instances, lambda functions and elastic load balancers
- Misconfigured web applications
- Evading detection
- Default settings, configurations and software
The goals when exploiting the CloudGoat environment are:
- Privilege escalation
- Logging/monitoring evasion
- Data and information enumeration
- Data exfiltration
- Persistent access
Pacu AWS
Pacu is a comprehensive open-source AWS exploitation framework designed by Rhino Security Labs for penetration testing on AWS environments. Pacu is designed to be the Metasploit equivalent. Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules. Pacu modules were designed to be used against the CloudGoat environment.
Set up CloudGoat
CloudGoat uses a deployment script via Terraform to launch and destroy the resources into an existing AWS environment automatically. I recommend creating a new AWS account (preferably free tier) just for this purpose. Deploy the environment and destroy it as soon as you are done so as to avoid unexpected charges.
Warning #1: CloudGoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy CloudGoat in a production environment or alongside any environment with sensitive AWS resources or data.
Warning #2: CloudGoat can only manage resources it creates. If you create any resources yourself in the course of a scenario, you should remove them manually before running the “destroy” command.
Docker
The easiest way to use CloudGoat is to make use of the Docker images. Assuming you have Docker installed, execute the following command:
docker run -it rhinosecuritylabs/cloudgoat:latest
From Source
Requirements
- Linux OS (I used Kali Linux)
- Python 3.6 or a later version
- Terraform 0.12 or a later version
- AWS CLI
Clone it from Rhino Security Labs Github page:
git clone https://github.com/RhinoSecurityLabs/cloudgoat.git ./CloudGoat
Compile
cd CloudGoat
pip3 install -r ./core/python/requirements.txt
chmod u+x cloudgoat.py
Usage
IAM user creation
In your existing AWS environment, create an IAM user with “AdministratorAccess” policy attached to it.
Note: It is best practice to use your root user (the account used to create the AWS account) to only create your first IAM user.
Save the access key ID and the secret access key, as you’ll need it to configure AWS CLI.
AWS CLI configuration
Configure the AWS environment variables for the user via AWS CLI.
On Kali Linux, run the following commands:
- Create configure the IAM user on AWS CLI:
aws configure –profile <insert profile name here>
Enter the access key and secret access key generated for the IAM user. You can leave the default region name and the output format as empty.
aws sts get-caller-identity –profile <insert profile name here>
CloudGoat configuration
On Kali Linux, run the following commands:
- Create a CloudGoat profile:
./cloudgoat.py configure profile <insert profile name here>
./cloudgoat.py configure whitelist --auto
Running each scenario
- To deploy the resources for each scenario on AWS:
./cloudgoat.py create <insert scenario name>
./cloudgoat.py destroy <insert scenario name>
Learn Cloud Security
Conclusion
CloudGoat is a great learning platform which can be used to hone one’s cloud security skills. It is also great for people with all skill levels, from beginners to experts.
Sources
CloudGoat: The ‘Vulnerable by Design’ AWS Environment, Rhino Security Labs
Pacu: The Open Source AWS Exploitation Framework, Rhino Security Labs
Creating your first IAM admin user and group, AWS
AWS Command Line Interface, AWS
Environment variables to configure the AWS CLI, AWS
Pacu, Rhino Security Labs GitHub
CloudGoat, Rhino Security Labs GitHub
In this Series
- Working with CloudGoat: The “vulnerable by design” AWS environment
- Top 11 cloud computing certifications for 2025
- The rise of cloud computing: Trends and predictions
- Understanding the basics of cloud infrastructure: What you need to know
- How cloud security, data privacy, and cybersecurity convergence drives successful careers
- Secure cloud computing: What you need to know
- Working across multiple cloud service providers: CSP security learning path
- Securing cloud-based applications training: What you need to know
- Security risks of cloud migration
- DevSecOps in the Azure Cloud
- Amazon Athena Security: 6 essential tips
- Securing cloud endpoints: What you should know
- AWS security and compliance overview
- CloudGoat walkthrough series: IAM privilege escalation by attachment
- CloudGoat walkthrough series: EC2 server-side request forgery (SSRF)
- CloudGoat walkthrough series: Remote code execution
- CloudGoat walkthrough series: Lambda Privilege Escalation
- Information security strategy for the hybrid and multi-cloud
- CloudGoat walkthrough series: Cloud Breach S3
- CloudGoat walkthrough series: IAM privilege escalation by rollback
- Malicious Amazon Machine Images (AMIs)
- Key findings from Ponemon’s State of Vulnerability Management in the Cloud and On-Premises report
- Cloud Pentesting Certification Boot Camp: The ultimate guide
- Cloud Based IDS and IPS Solutions [Updated 2019]
- AWS Security Monitoring Checklist [Updated 2019]
- Amazon Inspector: A cloud-based vulnerability assessment tool
- System administrator vs. cloud administrator
- 5 key cloud security use cases
- Deep Packet Inspection in the Cloud
- Honeypots in the Cloud
- Biometrics in the Cloud
- Open-Source Intelligence Collection in Cloud Platforms
- How to Safeguard Against the Privacy Implications of Cloud Computing
- AWS Cloud Security for Beginners — Part 2
- AWS Cloud Security for Beginners — Part 1
- AWS Security Monitoring Checklist — Part 2
- Rise of the Rogue Cloud: The Fundamental Security Mistake Enterprises Make and How to Correct It
- Controlling the Risks of Cloud-Enabled End-Point Security Products
- The Ultimate Guide to CCSP Certification
- Five Reasons Why Security Professionals Need the Cloud
- Amazon S3 Buckets-Hardening
- Cloud Service Reconnaissance
- Cloud Computing Security: Be Secure Before Moving to Cloud
- Cloud Technology Bringing New Possibilities in Threat Management
- Attacking the Cloud
- Man in the Cloud Attacks: Prevention and Containment
- Cloud originated DDoS attacks
- Where Is Your Data Safer? In the Cloud Or On Premise?
- DDOS Protection for Public Cloud Customers
- Security Barriers in the Adaptation of Cloud Technology
- SIEM as a Service
Get certified and advance your career!
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
Cloud security
Cloud security