TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository.
TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
This repo is a clone of [TerraGoat][https://github.com/bridgecrewio/terragoat]
TerraGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Checkov, inline-linters, pre-commit hooks or other code scanning methods.
TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.
- Where to get help: the Bridgecrew Community Slack
Before you proceed please take a not of these warning:
⚠️ TerraGoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.
- Terraform 0.12
- aws cli
To prevent vulnerable infrastructure from arriving to production see: checkov, the open source static analysis tool for infrastructure as code.
You can deploy multiple TerraGoat stacks in a single AWS account using the parameters TF_VAR_environment and TF_VAR_environment.
export TERRAGOAT_STATE_BUCKET="mydevsecops-bucket"
export TF_VAR_company_name=acme
export TF_VAR_environment=mydevsecops
export TF_VAR_region="us-east-1"
aws s3api create-bucket --bucket $TERRAGOAT_STATE_BUCKET \
--region $TF_VAR_region --create-bucket-configuration LocationConstraint=$TF_VAR_region
# Enable versioning
aws s3api put-bucket-versioning --bucket $TERRAGOAT_STATE_BUCKET --versioning-configuration Status=Enabled
# Enable encryption
aws s3api put-bucket-encryption --bucket $TERRAGOAT_STATE_BUCKET --server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms"
}
}
]
}'cd terraform/
terraform init \
-backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
-backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
-backend-config="region=$TF_VAR_region"
terraform applyterraform destroycd terraform/
export TERRAGOAT_ENV=$TF_VAR_environment
export TERRAGOAT_STACKS_NUM=5
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
export TF_VAR_environment=$TERRAGOAT_ENV$i
terraform init \
-backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
-backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
-backend-config="region=$TF_VAR_region"
terraform apply -auto-approve
donecd terraform/
export TF_VAR_environment = $TERRAGOAT_ENV
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
export TF_VAR_environment=$TERRAGOAT_ENV$i
terraform init \
-backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
-backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
-backend-config="region=$TF_VAR_region"
terraform destroy -auto-approve
done- CfnGoat - Vulnerable by design Cloudformation template
- TerraGoat - Vulnerable by design Terraform stack
Contribution is welcomed!
We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.
Bridgecrew builds and maintains TerraGoat to encourage the adoption of policy-as-code.
If you need direct support you can contact us at info@bridgecrew.io.
| check_id | file | resource | check_name | |
|---|---|---|---|---|
| 0 | CKV_AWS_41 | /providers.tf | aws | Ensure no hard coded AWS access key and and secret key exists in provider |
| 1 | CKV_AWS_5 | /es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure all data stored in the Elasticsearch is securely encrypted at rest |
| 2 | CKV_AWS_46 | /ec2.tf | aws_instance.web_host | Ensure no hard coded AWS access key and and secret key exists in EC2 user data |
| 3 | CKV_AWS_8 | /ec2.tf | aws_instance.web_host | Ensure all data stored in the Launch configuration EBS is securely encrypted |
| 4 | CKV_AWS_3 | /ec2.tf | aws_ebs_volume.web_host_storage | Ensure all data stored in the EBS is securely encrypted |
| 5 | CKV_AWS_4 | /ec2.tf | aws_ebs_snapshot.example_snapshot | Ensure all data stored in the EBS Snapshot is securely encrypted |
| 6 | CKV_AWS_24 | /ec2.tf | aws_security_group.web-node | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 |
| 7 | CKV_AWS_21 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure all data stored in the S3 bucket have versioning enabled |
| 8 | CKV_AWS_18 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure the S3 bucket has access logging enabled |
| 9 | CKV_AWS_52 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure S3 bucket has MFA delete enabled |
| 10 | CKV_AWS_19 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure all data stored in the S3 bucket is securely encrypted at rest |
| 11 | CKV_AWS_40 | /iam.tf | aws_iam_user_policy.userpolicy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) |
| 12 | CKV_AWS_51 | /ecr.tf | aws_ecr_repository.repository | Ensure ECR Image Tags are immutable |
| 13 | CKV_AWS_33 | /ecr.tf | aws_ecr_repository.repository | Ensure ECR image scanning on push is enabled |
| 14 | CKV_AWS_21 | /s3.tf | aws_s3_bucket.data | Ensure all data stored in the S3 bucket have versioning enabled |
| 15 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.data | Ensure the S3 bucket has access logging enabled |
| 16 | CKV_AWS_52 | /s3.tf | aws_s3_bucket.data | Ensure S3 bucket has MFA delete enabled |
| 17 | CKV_AWS_20 | /s3.tf | aws_s3_bucket.data | S3 Bucket has an ACL defined which allows public READ access. |
| 18 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.data | Ensure all data stored in the S3 bucket is securely encrypted at rest |
| 19 | CKV_AWS_21 | /s3.tf | aws_s3_bucket.financials | Ensure all data stored in the S3 bucket have versioning enabled |
| 20 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.financials | Ensure the S3 bucket has access logging enabled |
| 21 | CKV_AWS_52 | /s3.tf | aws_s3_bucket.financials | Ensure S3 bucket has MFA delete enabled |
| 22 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.financials | Ensure all data stored in the S3 bucket is securely encrypted at rest |
| 23 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.operations | Ensure the S3 bucket has access logging enabled |
| 24 | CKV_AWS_52 | /s3.tf | aws_s3_bucket.operations | Ensure S3 bucket has MFA delete enabled |
| 25 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.operations | Ensure all data stored in the S3 bucket is securely encrypted at rest |
| 26 | CKV_AWS_52 | /s3.tf | aws_s3_bucket.data_science | Ensure S3 bucket has MFA delete enabled |
| 27 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.data_science | Ensure all data stored in the S3 bucket is securely encrypted at rest |
| 28 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.logs | Ensure the S3 bucket has access logging enabled |
| 29 | CKV_AWS_52 | /s3.tf | aws_s3_bucket.logs | Ensure S3 bucket has MFA delete enabled |
| 30 | CKV_AWS_16 | /db-app.tf | aws_db_instance.default | Ensure all data stored in the RDS is securely encrypted at rest |
| 31 | CKV_AWS_17 | /db-app.tf | aws_db_instance.default | Ensure all data stored in the RDS bucket is not public accessible |
| 32 | CKV_AWS_23 | /db-app.tf | aws_security_group.default | Ensure every security groups rule has a description |
| 33 | CKV_AWS_23 | /db-app.tf | aws_security_group_rule.ingress | Ensure every security groups rule has a description |
| 34 | CKV_AWS_23 | /db-app.tf | aws_security_group_rule.egress | Ensure every security groups rule has a description |
| 35 | CKV_AWS_8 | /db-app.tf | aws_instance.db_app | Ensure all data stored in the Launch configuration EBS is securely encrypted |
| 36 | CKV_AWS_50 | /lambda.tf | aws_lambda_function.analysis_lambda | X-ray tracing is enabled for Lambda |
| 37 | CKV_AWS_45 | /lambda.tf | aws_lambda_function.analysis_lambda | Ensure no hard coded AWS access key and and secret key exists in lambda environment |
| 38 | CKV_AWS_7 | /kms.tf | aws_kms_key.logs_key | Ensure rotation for customer created CMKs is enabled |
| 39 | CKV_AWS_37 | /eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types |
| 40 | CKV_AWS_38 | /eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 |
| 41 | CKV_AWS_39 | /eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS public endpoint disabled |
| 42 | CKV_AWS_58 | /eks.tf | aws_eks_cluster.eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled |