CloudGoat is an open-source project developed by Rhino Security Labs that serves as a vulnerable environment for hands-on learning and practicing cloud security in various cloud platforms like Amazon Web Services (AWS) and Microsoft Azure. It is designed to simulate real-world cloud security vulnerabilities and misconfigurations, allowing security professionals, developers, and individuals interested in cloud security to gain practical experience in identifying and addressing cloud-related security issues.


Key Benefits of CloudGoat

1. Hands-On Learning: CloudGoat offers a practical environment for users to gain hands-on experience in identifying and addressing real-world cloud security vulnerabilities.
2. Realistic Scenarios: Users can engage with realistic cloud environments and scenarios, replicating common vulnerabilities and misconfigurations found in actual cloud deployments.
3. Cross-Cloud Support: CloudGoat supports multiple cloud platforms like AWS and Azure, accommodating users working with different cloud providers.
4. Guided Learning Paths: CloudGoat provides structured learning paths and tutorials that guide users through challenges, helping them grasp vulnerabilities, impacts, and remediation methods.
5. Customizable Environments: Users can tailor CloudGoat environments to their learning goals, focusing on specific security domains or scenarios.
6. Scoring and Feedback: CloudGoat often includes a scoring system that allows users to track progress and receive feedback on their performance in tackling vulnerabilities.
7. Community Engagement: Being an open-source project, CloudGoat has an active community, enabling collaboration, insights sharing, and contributions.
8. Security Awareness: CloudGoat raises awareness about cloud security risks and best practices among developers, DevOps teams, and security professionals.
9. Resource for Training: CloudGoat serves as a training resource in workshops, education initiatives, and training programs to provide hands-on cloud security experience.
10. Continuous Improvement: The project is regularly updated with new challenges, support for evolving cloud services, and enhanced learning resources.
    
    

Key Features of CloudGoat

1. Realistic Challenges: CloudGoat offers diverse challenges representing various cloud security issues, allowing users to practice identifying and mitigating vulnerabilities.
2. Deliberate Vulnerabilities: The platform intentionally includes vulnerabilities and misconfigurations to replicate real-world security weaknesses.
3. Multiple Cloud Platforms: CloudGoat supports AWS and Azure, enabling users to experience cloud security challenges in different environments.
4. Learning Paths: Guided learning paths help users understand challenges, their implications, and how to effectively address them.
5. Customization: Users can customize CloudGoat environments to create scenarios aligned with their learning objectives.
6. Scoring System: CloudGoat often includes a scoring mechanism to track progress and measure performance in resolving vulnerabilities.
7. Safe Practice: Users can explore cloud security vulnerabilities without risking real systems, as CloudGoat is designed to be a controlled learning environment.
8. Open-Source Community: CloudGoat's open-source nature encourages collaboration, knowledge sharing, and contributions from users and developers.
9. Educational Resource: CloudGoat aids in educating users about cloud security concepts and the importance of proper cloud configuration.
10. Regular Updates: CloudGoat is consistently updated with new challenges, keeping up with evolving cloud technologies and security trends.

CloudGoat serves as a valuable tool for individuals and organizations looking to enhance their cloud security skills and knowledge. By engaging with realistic scenarios and challenges, users can develop a deeper understanding of cloud security vulnerabilities, learn how to address them effectively, and apply best practices to secure their cloud environments.



Requirements

• Linux or MacOS. Windows is not officially supported.
  
  • Argument tab-completion requires bash 4.2+ (Linux, or OSX with some difficulty).
    
• Python3.6+ is required.
  
• Terraform >= 0.14 installed and in your $PATH.
  
• The AWS CLI installed and in your $PATH, and an AWS account with sufficient privileges to create and destroy resources.
  
• jq
  

Installing CloudGoat on Docker

1. Pull the latest CloudGoat image from hub.docker.com repository then run.
   
   

   $ docker pull rhinosecuritylabs/cloudgoat:latest

   
   
   • Option A: Run with default entrypoint
     
     

     $ docker run -it rhinosecuritylabs/cloudgoat

     
     
   • Option 2: Run with AWS config and credentials
     
     Warning: Running this command will mount the local AWS configuration files into the Docker container when it is launched. This means that any user with access to the container will have access to the host computer's AWS credentials.
     
     

     $ docker run -it -v ~/.aws:/root/.aws/ rhinosecuritylabs/cloudgoat:latest

     
     
2. Once the container is running, it's ready to start the hacking challenge!
   
   help provides contextual help about commands. help can come before or after the command in question, so it's always there when needed. Below are some examples:
   
   

   $ ./cloudgoat.py create help $ ./cloudgoat.py destroy help $ ./cloudgoat.py list help $ ./cloudgoat.py config help

   
   Scenarios Available
   
   • vulnerable_lambda (Small / Easy): Visit Scenario Page
     
     

     $ ./cloudgoat.py create vulnerable_lambda

     
     
   • vulnerable_cognito (Small / Moderate): Visit Scenario Page
     
     

     $ ./cloudgoat.py create vulnerable_cognito

     
     
   • iam_privesc_by_rollback (Small / Easy): Visit Scenario Page
     
     

     $ ./cloudgoat.py create iam_privesc_by_rollback

     
     
   • lambda_privesc (Small / Easy): Visit Scenario Page
     
     

     $ ./cloudgoat.py create lambda_privesc

     
     
   • cloud_breach_s3 (Small / Moderate): Visit Scenario Page
     
     

     $ ./cloudgoat.py create cloud_breach_s3

     
     
   • iam_privesc_by_attachment (Medium / Moderate): Visit Scenario Page
     
     

     $ ./cloudgoat.py create iam_privesc_by_attachment

     
     
   • ec2_ssrf (Medium / Moderate): Visit Scenario Page
     
     

     $ ./cloudgoat.py create ec2_ssrf

     
     
   • ecs_takeover (Medium / Moderate): Visit Scenario Page
     
     

     $ ./cloudgoat.py create ecs_takeover

     
     
   • rce_web_app (Medium / Hard): Visit Scenario Page
     
     

     $ ./cloudgoat.py create rce_web_app

     
     
   • codebuild_secrets (Large / Hard): Visit Scenario Page
     
     

     $ ./cloudgoat.py create codebuild_secrets

     
     
   • cicd (Medium / Moderate): Visit Scenario Page
     
     

     $ ./cloudgoat.py create cicd

     
     
   • detection_evasion (Medium / Hard): Visit Scenario Page
     
     

     $ ./cloudgoat.py create detection_evasion

     
     
   • ecs_efs_attack (Large / Hard): Visit Scenario Page
     
     

     $ ./cloudgoat.py create ecs_efs_attack

     
     

Other Vulnerable Cloud Infrastructures

• GCPGoat: Vulnerable GCP Infrastructure
  
  GCPGoat is a vulnerable by design infrastructure on GCP featuring the latest released OWASP Top 10 web application security risks (2021) and other misconfiguration based on services such as IAM, Storage Bucket, Cloud Functions and Compute Engine. GCPGoat mimics real-world infrastructure but with added vulnerabilities. It features multiple escalation paths and is focused on a black-box approach. GCPGoat uses IaC (Terraform) to deploy the vulnerable cloud infrastructure on the user's GCP account. This gives the user complete control over code, infrastructure, and environment.
  
  Using GCPGoat, the user can learn/practice:
  
  • Cloud Pentesting/Red-teaming
    
  • Auditing IaC
    
  • Secure Coding
    
  • Detection and mitigation
    
    
• AWSGoat: Vulnerable AWS Infrastructure
  
  AWSGoat is a vulnerable by design infrastructure on AWS featuring the latest released OWASP Top 10 web application security risks (2021) and other misconfiguration based on services such as IAM, S3, API Gateway, Lambda, EC2, and ECS. AWSGoat mimics real-world infrastructure but with added vulnerabilities. It features multiple escalation paths and is focused on a black-box approach. AWSGoat uses IaC (Terraform) to deploy the vulnerable cloud infrastructure on the user's AWS account. This gives the user complete control over code, infrastructure, and environment.
  
  Using AWSGoat, the user can learn/practice:
  
  • Cloud Pentesting/Red-teaming
    
  • Auditing IaC
    
  • Secure Coding
    
  • Detection and mitigation
    
    
• AzureGoat: Vulnerable Azure Infrastructure
  
  AzureGoat is a vulnerable by design infrastructure on Azure featuring the latest released OWASP Top 10 web application security risks (2021) and other misconfiguration based on services such as App Functions, CosmosDB, Storage Accounts, Automation and Identities. AzureGoat mimics real-world infrastructure but with added vulnerabilities. It features multiple escalation paths and is focused on a black-box approach. AzureGoat uses IaC (Terraform) to deploy the vulnerable cloud infrastructure on the user's Azure account. This gives the user complete control over code, infrastructure, and environment.
  
  Using AzureGoat, the user can learn/practice:
  
  • Cloud Pentesting/Red-teaming
    
  • Auditing IaC
    
  • Secure Coding
    
  • Detection and mitigation
    

For more information about CloudGoat, visit the following links:
https://github.com/ine-labs
https://github.com/RhinoSecurityLabs/cloudgoat
https://rhinosecuritylabs.com/aws/introducing-cloudgoat-2