Size: Medium
Difficulty: Moderate
Command: $ ./cloudgoat.py create cicd
- 3 IAM users
- 1 VPC with 1 EC2 instance
- 1 API Gateway
- 1 Lambda function
- 1 ECR image
- 2 CodeBuild project (and an additional out of scope)
You are provided with the access key ID and secret access key of an initial IAM user.
FooCorp is a company exposing a public-facing API. Customers of FooCorp submit sensitive data to the API every minute to the following API endpoint:
POST {apiUrl}/prod/hello
Host: {apiHost}
Content-Type: text/html
superSecretData=...
The API is implemented as a Lambda function, exposed through an API Gateway.
Because FooCorp implements DevOps, it has a continuous deployment pipeline automatically deploying new versions of their Lambda function from source code to production in under a few minutes.
Retrieve the sensitive data submitted by customers.
Note that simulated user activity is taking place in the account. This is implemented through a CodeBuild project running every minute and simulating customers requests to the API. This CodeBuild project is out of scope.
Spoiler warning
You get access to an initial AWS access key. Escalate your privileges by overwriting the tag of an EC2 instance used for attribute-based access control. Steal the SSH key on the instance, and use it to clone a CodeCommit repository. Go through the commit history, and find a new set of AWS credentials. Use them to backdoor the application and steal the sensitive data.
A cheat sheet for this route is available here.
This scenario has end-to-end testing using Terratest. The tests will:
- Spin up the environment through Terraform instrumentation
- Unroll the compromission scenario to ensure it is working
- Tear down the environment
To run, you'll need to have Golang installed. use:
cd terraform/test
go get .
go test -v