bridgecrewio / terragoat

воскресенье, 24 мая 2020 г. в 00:22:21

https://github.com/bridgecrewio/terragoat

HCL
TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

TerraGoat - Vulnerable Terraform Infrastructure

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository.

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

Introduction
Getting Started
Contributing
Support

Introduction

TerraGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Checkov, inline-linters, pre-commit hooks or other code scanning methods.

TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.

Important notes

Where to get help: the Bridgecrew Community Slack

Before you proceed please take a not of these warning:

⚠️ TerraGoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.

Requirements

Terraform 0.12
aws cli

To prevent vulnerable infrastructure from arriving to production see: checkov, the open source static analysis tool for infrastructure as code.

Getting started

Installation

You can deploy multiple TerraGoat stacks in a single AWS account using the parameters TF_VAR_environment and TF_VAR_environment.

Create an S3 bucket backend to keep Terraform state

export TERRAGOAT_STATE_BUCKET="mydevsecops-bucket"
export TF_VAR_company_name=acme
export TF_VAR_environment=mydevsecops
export TF_VAR_region="us-east-1"

aws s3api create-bucket --bucket $TERRAGOAT_STATE_BUCKET \
    --region $TF_VAR_region --create-bucket-configuration LocationConstraint=$TF_VAR_region

# Enable versioning    
aws s3api put-bucket-versioning --bucket $TERRAGOAT_STATE_BUCKET --versioning-configuration Status=Enabled

# Enable encryption
aws s3api put-bucket-encryption --bucket $TERRAGOAT_STATE_BUCKET --server-side-encryption-configuration '{
  "Rules": [
    {
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "aws:kms"
      }
    }
  ]
}'

Apply TerraGoat

cd terraform/
terraform init \
-backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
-backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
-backend-config="region=$TF_VAR_region"

terraform apply

Remove TerraGoat

terraform destroy

Creating multiple TerraGoat stacks

cd terraform/
export TERRAGOAT_ENV=$TF_VAR_environment
export TERRAGOAT_STACKS_NUM=5
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
    export TF_VAR_environment=$TERRAGOAT_ENV$i   
    terraform init \
    -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
    -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
    -backend-config="region=$TF_VAR_region" 
    
    terraform apply -auto-approve
done

Deleting multiple TerraGoat stacks

cd terraform/
export TF_VAR_environment = $TERRAGOAT_ENV
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
    export TF_VAR_environment=$TERRAGOAT_ENV$i   
    terraform init \
    -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
    -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
    -backend-config="region=$TF_VAR_region" 
    
    terraform destroy -auto-approve
done

Bridgecrew's IaC heard of goats:

CfnGoat - Vulnerable by design Cloudformation template
TerraGoat - Vulnerable by design Terraform stack

Contributing

Contribution is welcomed!

We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.

Support

Bridgecrew builds and maintains TerraGoat to encourage the adoption of policy-as-code.

If you need direct support you can contact us at info@bridgecrew.io.

Existing vulnerabilities (Auto-Generated)

	check_id	file	resource	check_name
0	CKV_AWS_46	/ec2.tf	aws_instance.web_host	Ensure no hard coded AWS access key and and secret key exists in EC2 user data
1	CKV_AWS_8	/ec2.tf	aws_instance.web_host	Ensure all data stored in the Launch configuration EBS is securely encrypted
2	CKV_AWS_3	/ec2.tf	aws_ebs_volume.web_host_storage	Ensure all data stored in the EBS is securely encrypted
3	CKV_AWS_4	/ec2.tf	aws_ebs_snapshot.example_snapshot	Ensure all data stored in the EBS Snapshot is securely encrypted
4	CKV_AWS_24	/ec2.tf	aws_security_group.web-node	Ensure no security groups allow ingress from 0.0.0.0:0 to port 22
5	CKV_AWS_21	/ec2.tf	aws_s3_bucket.flowbucket	Ensure all data stored in the S3 bucket have versioning enabled
6	CKV_AWS_52	/ec2.tf	aws_s3_bucket.flowbucket	Ensure S3 bucket has MFA delete enabled
7	CKV_AWS_19	/ec2.tf	aws_s3_bucket.flowbucket	Ensure all data stored in the S3 bucket is securely encrypted at rest
8	CKV_AWS_18	/ec2.tf	aws_s3_bucket.flowbucket	Ensure the S3 bucket has access logging enabled
9	CKV_AWS_21	/s3.tf	aws_s3_bucket.data	Ensure all data stored in the S3 bucket have versioning enabled
10	CKV_AWS_52	/s3.tf	aws_s3_bucket.data	Ensure S3 bucket has MFA delete enabled
11	CKV_AWS_19	/s3.tf	aws_s3_bucket.data	Ensure all data stored in the S3 bucket is securely encrypted at rest
12	CKV_AWS_20	/s3.tf	aws_s3_bucket.data	S3 Bucket has an ACL defined which allows public READ access.
13	CKV_AWS_18	/s3.tf	aws_s3_bucket.data	Ensure the S3 bucket has access logging enabled
14	CKV_AWS_21	/s3.tf	aws_s3_bucket.financials	Ensure all data stored in the S3 bucket have versioning enabled
15	CKV_AWS_52	/s3.tf	aws_s3_bucket.financials	Ensure S3 bucket has MFA delete enabled
16	CKV_AWS_19	/s3.tf	aws_s3_bucket.financials	Ensure all data stored in the S3 bucket is securely encrypted at rest
17	CKV_AWS_18	/s3.tf	aws_s3_bucket.financials	Ensure the S3 bucket has access logging enabled
18	CKV_AWS_52	/s3.tf	aws_s3_bucket.operations	Ensure S3 bucket has MFA delete enabled
19	CKV_AWS_19	/s3.tf	aws_s3_bucket.operations	Ensure all data stored in the S3 bucket is securely encrypted at rest
20	CKV_AWS_18	/s3.tf	aws_s3_bucket.operations	Ensure the S3 bucket has access logging enabled
21	CKV_AWS_52	/s3.tf	aws_s3_bucket.data_science	Ensure S3 bucket has MFA delete enabled
22	CKV_AWS_19	/s3.tf	aws_s3_bucket.data_science	Ensure all data stored in the S3 bucket is securely encrypted at rest
23	CKV_AWS_52	/s3.tf	aws_s3_bucket.logs	Ensure S3 bucket has MFA delete enabled
24	CKV_AWS_18	/s3.tf	aws_s3_bucket.logs	Ensure the S3 bucket has access logging enabled
25	CKV_AWS_7	/kms.tf	aws_kms_key.logs_key	Ensure rotation for customer created CMKs is enabled
26	CKV_AWS_16	/db-app.tf	aws_db_instance.default	Ensure all data stored in the RDS is securely encrypted at rest
27	CKV_AWS_17	/db-app.tf	aws_db_instance.default	Ensure all data stored in the RDS bucket is not public accessible
28	CKV_AWS_23	/db-app.tf	aws_security_group.default	Ensure every security groups rule has a description
29	CKV_AWS_23	/db-app.tf	aws_security_group_rule.ingress	Ensure every security groups rule has a description
30	CKV_AWS_23	/db-app.tf	aws_security_group_rule.egress	Ensure every security groups rule has a description
31	CKV_AWS_8	/db-app.tf	aws_instance.db_app	Ensure all data stored in the Launch configuration EBS is securely encrypted
32	CKV_AWS_41	/providers.tf	aws	Ensure no hard coded AWS access key and and secret key exists in provider
33	CKV_AWS_40	/iam.tf	aws_iam_user_policy.userpolicy	Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)
34	CKV_AWS_50	/lambda.tf	aws_lambda_function.analysis_lambda	X-ray tracing is enabled for Lambda
35	CKV_AWS_45	/lambda.tf	aws_lambda_function.analysis_lambda	Ensure no hard coded AWS access key and and secret key exists in lambda environment