OWASP EKS Goat

OWASP EKS Goat
An intentionally vulnerable EKS cluster designed for hands-on security testing and learning.

Complete walkthrough at https://eksgoat.kubernetesvillage.com

Made with in India

EKS Goat Now an Official OWASP Project!

EKS Goat is now an official OWASP project! This marks a significant milestone in our journey to improve Kubernetes security education.

🔗 Check out the OWASP page: OWASP EKS Goat

Overview

EKS Goat is now an official OWASP project.
An intentionally vulnerable EKS cluster designed for hands-on security testing and learning.

⚠️ Note: EKS Goat does not exploit any vulnerability in Amazon Web Services (AWS) or Amazon EKS. All scenarios are based on insecure configurations, IAM misuse, or overly permissive setups created by users within the shared responsibility model. The lab is intended to help security teams detect and mitigate such real-world misconfigurations.

OWASP EKS Goat is an open-source, intentionally vulnerable EKS cluster designed for security testing in AWS cloud environments. It is designed to:

• Reproduce real world EKS misconfigurations and IAM pitfalls
• Simulate realistic attack chains targeting EKS-native components
• Help teams validate detection, response, and hardening strategies
• Understand the security flow from web app compromise to ECR abuse to full EKS cluster takeover

This isn’t a read-only guide or sandbox demo. It’s a working, breakable EKS lab cluster to explore and improve real-world cloud security.

🧪 Real-World Scenarios 🧪

• Exploiting vulnerable jenkins web applications deployed inside EKS.
• Compromising ECR containers and persisting through image backdoors.
• Exfiltrating credentials via IMDSv2 metadata.
• Escalating privileges through misconfigured IAM roles.
• Breaking out from pod to underlying EC2 node.
• Abusing RBAC for lateral movement.
• Run scanning and benchmarking clusters using tools like Kubescape and Kubebench
• Perform testing runtime detection via Falco and Tetragon

✅ Prerequisites

Note: Running this lab on AWS EKS will incur costs. For a typical session (~16 hours), the estimated cost is around $5–8 USD.

• GitHub Codespace
• Individual AWS account per participant with admin access and billing enabled (one EKS cluster per AWS account)

• Laptop with an updated browser (Administrative privileges may be required).

📘 Lab Documentation

Covers setup, exploit labs, and mitigation labs step-by-step including scenario details on CVE-2024-23897 (Arbitrary File Read Vulnerability)

• Full walkthrough: https://eksgoat.kubernetesvillage.com

• Alternate Link

  • In case of accessibility issues, use:
    https://ekssecurity.netlify.app/

🏆 Scenarios Documented

📦 Container & Image Security

• Docker Image and Layer Analysis
• Container Secrets Misuse
• Static Scanning with Hadolint, Dockle
• Docker Bench Security (CIS benchmark)

🔐 AWS ECR Exploitation

• ECR Image Scanning
• Immutable Tag Enforcement
• Credential Abuse for Private ECR Enumeration
• Backdooring Docker Images in ECR

☁️ AWS EKS Exploitation

• Deploying Vulnerable EKS Infrastructure
• Metadata Service Abuse (IMDSv2) to Steal Credentials
• Web App Exploitation to AWS IAM Compromise
• ECR to EKS Cluster Compromise
• Pod-to-Node Breakout in EKS
• Privilege Escalation to S3 Access and Data Exfiltration
• EC2 Instance Cleanup Post Exploit

🔍 Scanning & Auditing

• Kubescape for Compliance Assessment
• Kubebench for Node Security Benchmarking
• Hadolint for Dockerfile Linting

🛡️ Runtime Defense & Hardening

• Pod Security Context Enforcement
• Kyverno (CEL) Policy Enforcement in EKS
• Real-time Runtime Detection via eBPF Tetragon
• AWS GuardDuty Alerts for EKS Threats

⚙️ Environment Lifecycle

• Infra Spin-up for Vulnerable EKS Cluster
• Complete Infra Teardown Lab

🙌 Credits

Reach out in case of missing credits.

• Kubernetes Architecture
• Credits for image: Offensive Security Say – Try Harder!
• Kubernetes Goat by madhuakula
• vulhub
• Amazon EKS Security Immersion Day
• eksworkshop.com - GuardDuty Log Monitoring
• Kubernetes Architecture
• Tech Blog by Anoop Ka - Kyverno
• Microsoft Attack Matrix for Kubernetes
• Datadog Security Labs - EKS Attacking & Securing Cloud Identities
• HackTricks AWS EKS Enumeration
• AWS EKS Best Practices
• Amazon EMR IAM Setup for EKS
• AWS EKS Pod Identities
• Anais URL - Container Image Layers Explained
• GitLab - Beginner’s Guide to Container Security
• Wiz.io Academy - What is Container Security
• JFrog Blog - 10 Helm Tutorials
• Datadog Security Labs - EKS Cluster Access Management
• ChatGPT - For Re-phrasing & Re-writing
• Okey Ebere Blessing - AWS EKS Authentication & Authorization
• Microsoft Blog - Attack Matrix for Kubernetes
• Subbaraj Penmetsa - OPA Gatekeeper for Amazon EKS
• Open Policy Agent GitHub
• OPA Gatekeeper Documentation
• Gatekeeper Library on GitHub
• CDK EKS Blueprints - OPA Gatekeeper
• AWS EKS Documentation
• Datadog Security Labs - EKS Attacking & Securing Cloud Identities
• Cloud HackTricks Kubernetes Enumeration
• Attacking & Defending Kubernetes training
• mathewpalmer

⚠️ Disclaimer

• The information, commands, and demonstrations presented in this lab including any course, are intended strictly for educational purposes. Under no circumstances should they be used to compromise or attack any system outside the boundaries of this educational session unless explicit permission has been granted.

  • This course is provided by the instructors independently and is not endorsed by their employers or any other corporate entity. The content does not necessarily reflect the views or policies of any company or professional organization associated with the instructors.

• Usage of Training Material: The training material is provided without warranties or guarantees. Participants are responsible for applying the techniques or methods discussed during the training. The trainers and their respective employers or affiliated companies are not liable for any misuse or misapplication of the information provided.

• Liability: The trainers, their employers, and any affiliated companies are not responsible for any direct, indirect, incidental, or consequential damages arising from the use of the information provided in this course. No responsibility is assumed for any injury or damage to persons, property, or systems as a result of using or operating any methods, products, instructions, or ideas discussed during the training.

• Intellectual Property: This course and all accompanying materials, including slides, worksheets, and documentation, are the intellectual property of the trainers. They are shared under the GPL-3.0 license, which requires that appropriate credit be given to the trainers whenever the materials are used, modified, or redistributed.

• References: Some of the labs referenced in this workshop are based on open-source materials available at Amazon EKS Security Immersion Day GitHub repository, licensed under the MIT License. Additionally, modifications and fixes have been applied using AI tools such as Amazon Q, ChatGPT, and Gemini.

• Educational Purpose: This lab is for educational purposes only. Do not attack or test any website or network without proper authorization. The trainers are not liable or responsible for any misuse.

• Usage Rights: Individuals are permitted to use this course for instructional purposes, provided that no fees are charged to the students.

Note: Currently unable to provide the support in case facing any deployment issue. This lab is for educational purposes only. Do not attack or test any website or network without proper authorization. The trainers are not liable or responsible for any misuse and this course provided independently and is not endorsed by their employers or any other corporate entity. Refer to disclaimer section at eksgoat.kubernetesvillage.com

📢 Community

A Kubernetes Village Initiative | Now Part of OWASP !

• 🔗 OWASP Project Page: OWASP EKS Goat
• 🔗 Kubernetes Village: LinkedIn

Made with in India