Rhino Security Labs' "Vulnerable by Design" AWS infrastructure setup tool
- Python2 or Python3
- Terraform in your $PATH (https://www.terraform.io/downloads.html)
- gpg (
apt-get install gpg)
- OpenSSH (For SSH key generation)
- CloudGoat deploys intentionally vulnerable AWS resources into your account. DO NOT deploy CloudGoat in a production environment or alongside any sensitive AWS resources.
How to deploy the CloudGoat environment
Note: CloudGoat uses the credentials that are setup as the "default" profile for the AWS CLI (Usually stored under
~/.aws/credentials, with the "[default]" header). You can set/change these keys by running the AWS CLI command
git clone https://github.com/RhinoSecurityLabs/cloudgoat.git && cd cloudgoat
./start.sh <ip range>- Where
<ip range>is an IP range that CloudGoat whitelists access to in every security group, to ensure only you can access the environment.
Now the credentials to get you started will be stored in ./credentials.txt and if you are starting with access to EC2 or Lightsail, the OpenSSH key is stored in ./keys/
How to destroy the CloudGoat environment
Note about AWS Glue, why it's disabled, and how to re-enable it
- The Glue development endpoint is disabled by default due to it costing far more than the whole rest of CloudGoat to run. If you would like to enable the Glue development endpoint (estimated at $1 per hour), uncomment the final three lines of "start.sh", uncomment the final eight lines of "kill.sh", uncomment the final two lines of "extract_creds.py", and uncomment the file located at "./terraform/glue.tf".
- 8/29/18: Added a few permissions to Bob so that it is no longer required to bruteforce permissions (or cheat) to gain further access.
- 8/6/18: Fixed
tr: Illegal byte sequenceerror on Mac operating systems.
- 8/1/18: Modified
extract_creds.pyto fix support for Python3.
- 7/31/18: Public GitHub release!