Welcome to OWASP EKS Goat Documentation

Logo

OWASP EKS Goat
An intentionally vulnerable EKS cluster designed for hands-on security testing and learning.

Complete walkthrough at https://eksgoat.kubernetesvillage.com

Netlify Status License: GPL GitHub release GitHub Stars PRs Welcome Twitter LinkedIn Share OWASP Project

CSA Bangalore 2024 BSides Ahmedabad 2024 Cloud Security Podcast Advent Calendar 2024 Seasides Goa 2025

Made with Love in India

EKS Goat Now an Official OWASP Project!

EKS Goat is now an official OWASP project! This marks a significant milestone in our journey to improve Kubernetes security education.

πŸ”— Check out the OWASP page: OWASP EKS Goat

Workshop Website

Workshop Overview

The OWASP EKS Goat Security Lab simulates real-world security misconfigurations and attacks on AWS EKS, followed by guided defensive remediations. Designed for practitioners. This includes immersive security workshop designed to take participants through real-world scenarios of attacking and defending Kubernetes clusters hosted on AWS EKS.

This document provides a comprehensive approach, from understanding the anatomy of attacks on EKS clusters to deploying robust defense mechanisms. Participants will learn how to exploit misconfigurations and vulnerabilities within AWS EKS, followed by the implementation of best security practices to safeguard the environment.

Key Takeaways:

  • Hands-on labs focused on exploiting AWS EKS misconfigs: IRSA, RBAC, ECR, and metadata services.
  • Techniques for lateral movement, credential abuse, privilege escalation, and post-exploitation in AWS EKS.
  • Deep dive into securing AWS EKS clusters by leveraging IAM roles and runtime tools (Kyverno, Tetragon) for mitigation
  • Cloud-native supply chain and detection strategy examples.

This document is tailored for security professionals, cloud engineers, and DevOps teams looking to enhance their understanding of offensive and defensive Kubernetes security strategies.

Prerequisites

  • GitHub Codespace
  • Individual AWS account per participant with admin access and billing enabled (one EKS cluster per AWS account)
  • Laptop with an updated browser (Administrative privileges may be required).

About Us:

Authored by Anjali & Divyanshu

  • Anjali is a senior cloud security engineer & founder of Kubernetes Village. She has over 5 years of experience in cloud security ( GCP, AWS & Azure )and DevSecOps (CI/CD), Kubernetes (EKS & GKE), and IAC security. She was a member of the Infosec Girls mentorship program and regularly publishes research on various cloud security via youtube channel @peachycloudsecurity. She was a volunteer at Defcon Cloud Village and currently leads the Bangalore chapter for W3-CS. Additionally, she is an AWS Community Builder. She has delivered training and talks at conferences like Blackhat Spring’24, Blackhat Europe’23, Bsides Bangalore 2023/2024, CSA Bangalore Annual Summit, C0c0n 2023, Null Community Meetup Bangalore, Google Cloud IAP Security at the Cloud Security Podcast, and Nullcon 2023.

  • Divyanshu is a senior security engineer with more than 7 years of experience in Security architecture reviews of Cloud, Web & Cloud Pentesting, DevSecops, Automation, and Secure Code Review. He has reported multiple vulnerabilities to companies like Airbnb, Google, Microsoft, AWS, Apple, Amazon, Samsung, Zomato, Xiaomi, Alibaba, Opera, Protonmail, Mobikwik, etc, and received CVE-2019-8727 CVE-2019-16918, CVE-2019-12278, CVE-2019-14962 for reporting issues. Author Burp-o-mation and a very-vulnerable-serverless application. Also part of AWS Community Builder for security and was a Defcon Cloud Village crew member 2020/2021/2022. He has also given training and talks in events like Nullcon Hyderabad'24, Brucon'24, Blackchat'23, C0c0n'24, Nullcon Goa'24, Bsides Bangalore'23, Parsec IIT Dharwad and Null community. Awarded title of Cloudsecurity Champion CSA Bangalore'23 & Cybersecurity Samurai at the Bsides Bangalore'23.

Contact Us

Excited About the Class:

🚨🚨

⚠️ IMPORTANT NOTICE: Please use a new or dedicated AWS account per participant for running EKS Cluster. Some commands may delete data or resources within the AWS environment. The author assumes no responsibility for any data loss or unintended consequences resulting from the use of these commands. Running this lab on AWS EKS will incur costs, for a typical session (~16 hours), the estimated cost is around $5–8 USD.

⭐⭐⭐⭐⭐