GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → bridgecrewio → cfngoat

bridgecrewio / cfngoat

Licence: other
Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository. Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

Labels

cloudformationaws-securitycloudsecuritydevsecops

Projects that are alternatives of or similar to cfngoat

Checkov
Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
Stars: ✭ 3,572 (+5002.86%)
Mutual labels:  cloudformation, aws-security, devsecops
introspector
A schema and set of tools for using SQL to query cloud infrastructure.
Stars: ✭ 61 (-12.86%)
Mutual labels:  aws-security, cloudsecurity, devsecops
cdkgoat
CdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository. CdkGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
Stars: ✭ 27 (-61.43%)
Mutual labels:  cloudformation, aws-security, devsecops
Terrascan
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
Stars: ✭ 2,687 (+3738.57%)
Mutual labels:  aws-security, cloudsecurity, devsecops
GDPatrol
A Lambda-powered Security Orchestration framework for AWS GuardDuty
Stars: ✭ 50 (-28.57%)
Mutual labels:  aws-security, cloudsecurity
yor
Extensible auto-tagger for your IaC files. The ultimate way to link entities in the cloud back to the codified resource which created it.
Stars: ✭ 459 (+555.71%)
Mutual labels:  cloudformation, cloudsecurity
CloudFrontier
Monitor the internet attack surface of various public cloud environments. Currently supports AWS, GCP, Azure, DigitalOcean and Oracle Cloud.
Stars: ✭ 102 (+45.71%)
Mutual labels:  aws-security, cloudsecurity
cfsec
Static analysis for CloudFormation templates to identify common misconfiguration
Stars: ✭ 53 (-24.29%)
Mutual labels:  cloudformation, cloudsecurity
aws-leastprivilege
Generates an IAM policy for the CloudFormation service role that adheres to least privilege.
Stars: ✭ 85 (+21.43%)
Mutual labels:  cloudformation
private-chain
⛓An Ethereum PoA private-chain environment on AWS.
Stars: ✭ 23 (-67.14%)
Mutual labels:  cloudformation
AWSlack
Get Slack notifications on AWS CloudWatch events
Stars: ✭ 21 (-70%)
Mutual labels:  cloudformation
docker-geth-lb
MyEtherWallet AWS set up. Deploy public-facing Ethereum nodes using AWS CloudFormation / Docker / Parity / Geth / ethstats
Stars: ✭ 127 (+81.43%)
Mutual labels:  cloudformation
aws-waf-logger
Log all AWS WAF Matched Rules to S3 and/or Loggly using Serverless
Stars: ✭ 18 (-74.29%)
Mutual labels:  aws-security
kubernetes-ami
A simple AMI and CloudFormation for launching Kubernetes on AWS
Stars: ✭ 41 (-41.43%)
Mutual labels:  cloudformation
aws-cloudformation-simplified
AWS CloudFormation - Simplified | Hands On Learning !!
Stars: ✭ 51 (-27.14%)
Mutual labels:  cloudformation
cloudformation-operator
A Kubernetes operator for managing CloudFormation stacks via a CustomResource
Stars: ✭ 98 (+40%)
Mutual labels:  cloudformation
cloudformation-coverage-roadmap
The AWS CloudFormation Public Coverage Roadmap
Stars: ✭ 993 (+1318.57%)
Mutual labels:  cloudformation
cloudniite
AWS Lambda Optimization and Monitoring Tool
Stars: ✭ 25 (-64.29%)
Mutual labels:  cloudformation
zookeeper-on-aws
zookeeper-on-aws (with dynamic reconfiguration based on r3.5.3-beta)
Stars: ✭ 15 (-78.57%)
Mutual labels:  cloudformation
nightfall dlp action
GitHub Data Loss Prevention (DLP) Action: Scan Pull Requests for sensitive data, like credentials & secrets, PII, credit card numbers, and more.
Stars: ✭ 46 (-34.29%)
Mutual labels:  devsecops
View All Similar Projects ➔

Cfngoat - Vulnerable Cloudformation Template

Maintained by Bridgecrew.io Infrastructure Tests CIS AWS PCI-DSS SOC2 ISO NIST-800-53 slack-community

Cfngoat is one of Bridgecrew's "Vulnerable by Design" Infrastructure as Code repositories, a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

Cfngoat

It's an ideal companion to testing build time Infrastructure as Code scanning tools, such as Bridgecrew & Checkov

Table of Contents

Introduction

Cfngoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, pre-commit hooks or other code scanning methods.

Cfngoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.

Installation

aws cloudformation create-stack --stack-name cfngoat --template-body file://cfngoat.yaml --region us-east-1 --parameters ParameterKey=Password,ParameterValue=MyPassword10 --capabilities CAPABILITY_NAMED_IAM

Expect provisioning to take at least 5 minutes.

Multiple stacks can be deployed simultaniously by changing the --stack-name and adding an Environment parameter:

aws cloudformation create-stack --stack-name cfngoat2 --template-body file://cfngoat.yaml --region us-east-1 --parameters ParameterKey=Password,ParameterValue=MyPassword10 ParameterKey=Environment,ParameterValue=dev2 --capabilities CAPABILITY_NAMED_IAM

Important notes

Before you proceed please take a not of these warning:

⚠️ Cfngoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy Cfngoat in a production environment or alongside any sensitive AWS resources.

Requirements

  • aws cli

Bridgecrew's IaC herd of goats

  • CfnGoat - Vulnerable by design Cloudformation template
  • TerraGoat - Vulnerable by design Terraform stack
  • CDKGoat - Vulnerable by design CDK application

Contributing

Contribution is welcomed!

We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.

Support

Bridgecrew builds and maintains Cfngoat to encourage the adoption of policy-as-code.

If you need direct support you can contact us at [email protected].

Existing vulnerabilities (Auto-Generated)

check_id file resource check_name guideline
0 CKV_AWS_46 /cfngoat.yaml AWS::EC2::Instance.EC2Instance Ensure no hard-coded secrets exist in EC2 user data https://docs.bridgecrew.io/docs/bc_aws_secrets_1
1 CKV_AWS_3 /cfngoat.yaml AWS::EC2::Volume.WebHostStorage Ensure all data stored in the EBS is securely encrypted https://docs.bridgecrew.io/docs/general_3-encrypt-eps-volume
2 CKV_AWS_24 /cfngoat.yaml AWS::EC2::SecurityGroup.WebNodeSG Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 https://docs.bridgecrew.io/docs/networking_1-port-security
3 CKV_AWS_23 /cfngoat.yaml AWS::EC2::SecurityGroup.WebNodeSG Ensure every security groups rule has a description https://docs.bridgecrew.io/docs/networking_31
4 CKV_AWS_18 /cfngoat.yaml AWS::S3::Bucket.FlowBucket Ensure the S3 bucket has access logging enabled https://docs.bridgecrew.io/docs/s3_13-enable-logging
5 CKV_AWS_21 /cfngoat.yaml AWS::S3::Bucket.FlowBucket Ensure the S3 bucket has versioning enabled https://docs.bridgecrew.io/docs/s3_16-enable-versioning
6 CKV_AWS_53 /cfngoat.yaml AWS::S3::Bucket.FlowBucket Ensure S3 bucket has block public ACLS enabled https://docs.bridgecrew.io/docs/bc_aws_s3_19
7 CKV_AWS_55 /cfngoat.yaml AWS::S3::Bucket.FlowBucket Ensure S3 bucket has ignore public ACLs enabled https://docs.bridgecrew.io/docs/bc_aws_s3_21
8 CKV_AWS_19 /cfngoat.yaml AWS::S3::Bucket.FlowBucket Ensure the S3 bucket has server-side-encryption enabled https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
9 CKV_AWS_56 /cfngoat.yaml AWS::S3::Bucket.FlowBucket Ensure S3 bucket has 'restrict_public_bucket' enabled https://docs.bridgecrew.io/docs/bc_aws_s3_22
10 CKV_AWS_54 /cfngoat.yaml AWS::S3::Bucket.FlowBucket Ensure S3 bucket has block public policy enabled https://docs.bridgecrew.io/docs/bc_aws_s3_20
11 CKV_AWS_107 /cfngoat.yaml AWS::IAM::Policy.UserPolicy Ensure IAM policies does not allow credentials exposure https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure
12 CKV_AWS_111 /cfngoat.yaml AWS::IAM::Policy.UserPolicy Ensure IAM policies does not allow write access without constraints https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint
13 CKV_AWS_108 /cfngoat.yaml AWS::IAM::Policy.UserPolicy Ensure IAM policies does not allow data exfiltration https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration
14 CKV_AWS_109 /cfngoat.yaml AWS::IAM::Policy.UserPolicy Ensure IAM policies does not allow permissions management without constraints https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint
15 CKV_AWS_40 /cfngoat.yaml AWS::IAM::Policy.UserPolicy Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) https://docs.bridgecrew.io/docs/iam_16-iam-policy-privileges-1
16 CKV_AWS_110 /cfngoat.yaml AWS::IAM::Policy.UserPolicy Ensure IAM policies does not allow privilege escalation https://docs.bridgecrew.io/docs/ensure-iam-policies-does-not-allow-privilege-escalation
17 CKV_AWS_7 /cfngoat.yaml AWS::KMS::Key.LogsKey Ensure rotation for customer created CMKs is enabled https://docs.bridgecrew.io/docs/logging_8
18 CKV_AWS_16 /cfngoat.yaml AWS::RDS::DBInstance.DefaultDB Ensure all data stored in the RDS is securely encrypted at rest https://docs.bridgecrew.io/docs/general_4
19 CKV_AWS_157 /cfngoat.yaml AWS::RDS::DBInstance.DefaultDB Ensure that RDS instances have Multi-AZ enabled https://docs.bridgecrew.io/docs/general_73
20 CKV_AWS_17 /cfngoat.yaml AWS::RDS::DBInstance.DefaultDB Ensure all data stored in RDS is not publicly accessible https://docs.bridgecrew.io/docs/public_2
21 CKV_AWS_23 /cfngoat.yaml AWS::EC2::SecurityGroup.DefaultSG Ensure every security groups rule has a description https://docs.bridgecrew.io/docs/networking_31
22 CKV_AWS_107 /cfngoat.yaml AWS::IAM::Policy.EC2Policy Ensure IAM policies does not allow credentials exposure https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-credentials-exposure
23 CKV_AWS_111 /cfngoat.yaml AWS::IAM::Policy.EC2Policy Ensure IAM policies does not allow write access without constraints https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint
24 CKV_AWS_108 /cfngoat.yaml AWS::IAM::Policy.EC2Policy Ensure IAM policies does not allow data exfiltration https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration
25 CKV_AWS_109 /cfngoat.yaml AWS::IAM::Policy.EC2Policy Ensure IAM policies does not allow permissions management without constraints https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint
26 CKV_AWS_116 /cfngoat.yaml AWS::Lambda::Function.AnalysisLambda Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
27 CKV_AWS_173 /cfngoat.yaml AWS::Lambda::Function.AnalysisLambda Check encryption settings for Lambda environmental variable https://docs.bridgecrew.io/docs/bc_aws_serverless_5
28 CKV_AWS_45 /cfngoat.yaml AWS::Lambda::Function.AnalysisLambda Ensure no hard-coded secrets exist in lambda environment https://docs.bridgecrew.io/docs/bc_aws_secrets_3
29 CKV_AWS_18 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure the S3 bucket has access logging enabled https://docs.bridgecrew.io/docs/s3_13-enable-logging
30 CKV_AWS_20 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure the S3 bucket does not allow READ permissions to everyone https://docs.bridgecrew.io/docs/s3_1-acl-read-permissions-everyone
31 CKV_AWS_21 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure the S3 bucket has versioning enabled https://docs.bridgecrew.io/docs/s3_16-enable-versioning
32 CKV_AWS_53 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure S3 bucket has block public ACLS enabled https://docs.bridgecrew.io/docs/bc_aws_s3_19
33 CKV_AWS_55 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure S3 bucket has ignore public ACLs enabled https://docs.bridgecrew.io/docs/bc_aws_s3_21
34 CKV_AWS_19 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure the S3 bucket has server-side-encryption enabled https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
35 CKV_AWS_56 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure S3 bucket has 'restrict_public_bucket' enabled https://docs.bridgecrew.io/docs/bc_aws_s3_22
36 CKV_AWS_54 /cfngoat.yaml AWS::S3::Bucket.DataBucket Ensure S3 bucket has block public policy enabled https://docs.bridgecrew.io/docs/bc_aws_s3_20
37 CKV_AWS_18 /cfngoat.yaml AWS::S3::Bucket.FinancialsBucket Ensure the S3 bucket has access logging enabled https://docs.bridgecrew.io/docs/s3_13-enable-logging
38 CKV_AWS_21 /cfngoat.yaml AWS::S3::Bucket.FinancialsBucket Ensure the S3 bucket has versioning enabled https://docs.bridgecrew.io/docs/s3_16-enable-versioning
39 CKV_AWS_53 /cfngoat.yaml AWS::S3::Bucket.FinancialsBucket Ensure S3 bucket has block public ACLS enabled https://docs.bridgecrew.io/docs/bc_aws_s3_19
40 CKV_AWS_55 /cfngoat.yaml AWS::S3::Bucket.FinancialsBucket Ensure S3 bucket has ignore public ACLs enabled https://docs.bridgecrew.io/docs/bc_aws_s3_21
41 CKV_AWS_19 /cfngoat.yaml AWS::S3::Bucket.FinancialsBucket Ensure the S3 bucket has server-side-encryption enabled https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
42 CKV_AWS_56 /cfngoat.yaml AWS::S3::Bucket.FinancialsBucket Ensure S3 bucket has 'restrict_public_bucket' enabled https://docs.bridgecrew.io/docs/bc_aws_s3_22
43 CKV_AWS_54 /cfngoat.yaml AWS::S3::Bucket.FinancialsBucket Ensure S3 bucket has block public policy enabled https://docs.bridgecrew.io/docs/bc_aws_s3_20
44 CKV_AWS_18 /cfngoat.yaml AWS::S3::Bucket.OperationsBucket Ensure the S3 bucket has access logging enabled https://docs.bridgecrew.io/docs/s3_13-enable-logging
45 CKV_AWS_53 /cfngoat.yaml AWS::S3::Bucket.OperationsBucket Ensure S3 bucket has block public ACLS enabled https://docs.bridgecrew.io/docs/bc_aws_s3_19
46 CKV_AWS_55 /cfngoat.yaml AWS::S3::Bucket.OperationsBucket Ensure S3 bucket has ignore public ACLs enabled https://docs.bridgecrew.io/docs/bc_aws_s3_21
47 CKV_AWS_19 /cfngoat.yaml AWS::S3::Bucket.OperationsBucket Ensure the S3 bucket has server-side-encryption enabled https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
48 CKV_AWS_56 /cfngoat.yaml AWS::S3::Bucket.OperationsBucket Ensure S3 bucket has 'restrict_public_bucket' enabled https://docs.bridgecrew.io/docs/bc_aws_s3_22
49 CKV_AWS_54 /cfngoat.yaml AWS::S3::Bucket.OperationsBucket Ensure S3 bucket has block public policy enabled https://docs.bridgecrew.io/docs/bc_aws_s3_20
50 CKV_AWS_53 /cfngoat.yaml AWS::S3::Bucket.DataScienceBucket Ensure S3 bucket has block public ACLS enabled https://docs.bridgecrew.io/docs/bc_aws_s3_19
51 CKV_AWS_55 /cfngoat.yaml AWS::S3::Bucket.DataScienceBucket Ensure S3 bucket has ignore public ACLs enabled https://docs.bridgecrew.io/docs/bc_aws_s3_21
52 CKV_AWS_19 /cfngoat.yaml AWS::S3::Bucket.DataScienceBucket Ensure the S3 bucket has server-side-encryption enabled https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
53 CKV_AWS_56 /cfngoat.yaml AWS::S3::Bucket.DataScienceBucket Ensure S3 bucket has 'restrict_public_bucket' enabled https://docs.bridgecrew.io/docs/bc_aws_s3_22
54 CKV_AWS_54 /cfngoat.yaml AWS::S3::Bucket.DataScienceBucket Ensure S3 bucket has block public policy enabled https://docs.bridgecrew.io/docs/bc_aws_s3_20
55 CKV_AWS_18 /cfngoat.yaml AWS::S3::Bucket.LogsBucket Ensure the S3 bucket has access logging enabled https://docs.bridgecrew.io/docs/s3_13-enable-logging
56 CKV_AWS_53 /cfngoat.yaml AWS::S3::Bucket.LogsBucket Ensure S3 bucket has block public ACLS enabled https://docs.bridgecrew.io/docs/bc_aws_s3_19
57 CKV_AWS_55 /cfngoat.yaml AWS::S3::Bucket.LogsBucket Ensure S3 bucket has ignore public ACLs enabled https://docs.bridgecrew.io/docs/bc_aws_s3_21
58 CKV_AWS_56 /cfngoat.yaml AWS::S3::Bucket.LogsBucket Ensure S3 bucket has 'restrict_public_bucket' enabled https://docs.bridgecrew.io/docs/bc_aws_s3_22
59 CKV_AWS_54 /cfngoat.yaml AWS::S3::Bucket.LogsBucket Ensure S3 bucket has block public policy enabled https://docs.bridgecrew.io/docs/bc_aws_s3_20
60 CKV_AWS_111 /cfngoat.yaml AWS::IAM::Role.CleanupRole Ensure IAM policies does not allow write access without constraints https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint
61 CKV_AWS_108 /cfngoat.yaml AWS::IAM::Role.CleanupRole Ensure IAM policies does not allow data exfiltration https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration
62 CKV_AWS_116 /cfngoat.yaml AWS::Lambda::Function.CleanBucketFunction Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) https://docs.bridgecrew.io/docs/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq
63 CKV_AWS_58 /eks.yaml AWS::EKS::Cluster.EKSCluster Ensure EKS Cluster has Secrets Encryption Enabled https://docs.bridgecrew.io/docs/bc_aws_kubernetes_3
check_id file resource check_name guideline
0 CKV_SECRET_2 /cfngoat.yaml 25910f981e85ca04baf359199dd0bd4a3ae738b6 AWS Access Key https://docs.bridgecrew.io/docs/git_secrets_2
1 CKV_SECRET_6 /cfngoat.yaml d70eab08607a4d05faa2d0d6647206599e9abc65 Base64 High Entropy String https://docs.bridgecrew.io/docs/git_secrets_6
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].