CDK Goat - Vulnerable AWS CDK Infrastructure

Overview

This repository serves as a demonstration of a "vulnerable-by-design" AWS Cloud Development Kit (CDK) infrastructure. The primary purpose is to showcase the deployment of a containerized application within an AWS environment, emphasizing security vulnerabilities for educational purposes.

Disclaimer: This repository is intended for educational and awareness purposes only. Do not deploy this in a production environment. Be aware of the security implications associated with running vulnerable applications.

Contents

1. Setup
   • Prerequisites
   • Installation
2. Usage
   • Deploying the Vulnerable Infrastructure
   • Accessing the Vulnerable Infrastructure
   • Investigating CloudFormation Outputs
   • Accessing the Vulnerable Application
   • Exploring Security Vulnerabilities
3. Contributing
4. Credits
5. License

Architecture

See the following architecture of the app, generated by the Diagrams library:

Setup

Prerequisites

Before deploying the vulnerable infrastructure, ensure you have the following prerequisites:

• AWS CLI
• Node.js 18
• Python 3.7.16
• Poetry
• Docker
• AWS CDK

Installation

1. Clone / Fork this repository:

   git clone https://github.com/avishayil/cdk-goat.git
   cd cdk-goat

2. Install dependencies:

   § npm install -g aws-cdk
   § poetry install --no-root
   

Usage

Deploying the Vulnerable Infrastructure

Deploy the vulnerable AWS CDK infrastructure using the following steps:

 # Activate virtual environment
 § source .venv/bin/activate

 # Deploy AWS CDK infrastructure
 § cdk deploy

Accessing the Vulnerable Infrastructure

Connecting to the ECS Container:

Use the helper script:

./scripts/aws_connect.sh

    Tasks in the CDKGoatStack-ContainersConstructCluster2F30CE40-zVkcz3MqwUTK cluster:
    0. arn:aws:ecs:eu-west-1:123456789012:task/CDKGoatStack-ContainersConstructCluster2F30CE40-zVkcz3MqwUTK/6fb6ab52095c4dd08a3031a899f04d23
    Enter the task number you want to connect to: 0
    Containers in the selected task:
    0. backend_app
    Enter the container number you want to connect to: 0

    The Session Manager plugin was installed successfully. Use the AWS CLI to start a session.


    Starting session with SessionId: ecs-execute-command-01948fc28b33b2fd5
    root@ip-192-168-0-40:/app# your-command

Investigate the CloudFormation Template Outputs

Output Name	Description	Value
ClusterARN	The Amazon Resource Name (ARN) of the cluster.	<ClusterARN value>
ApplicationLBDNS	The DNS name of the load balancer associated with the application.	<ApplicationLBDNS value>
DBInstanceEndpoint	The endpoint of the database instance.	<DBInstanceEndpoint value>
DBName	The name of the database.	<DBName value>
UploadsBucketName	The name of the bucket for file uploads.	<UploadsBucketName value>

Accessing the Vulnerable Application

See DVPWA

Exploring Security Vulnerabilities

All infrastructure, third parties and code vulnerabilities are powered by Snyk scanning utilities and uploaded to GitHub Code Scanning using the SARIF format. You can explore all of the vulnerabilities here: https://github.com/avishayil/cdk-goat/security/code-scanning

If you're not forking the repository and running it in your own GitHub Actions pipeline, you can see all the vulnerabilities in the HTML reports attached as an assets to a GitHub release. For example, in version 1.0.0 here: https://github.com/avishayil/cdk-goat/releases/tag/v1.0.0

Contributing

See CONTRIBUTING.md

Credits

• DVPWA by @anxolerd (We stand with Ukraine! 🇺🇦🇺🇦🇺🇦)

License

See LICENSE.md