Skip to content

Latest commit

 

History

History
109 lines (92 loc) · 6.06 KB

README.md

File metadata and controls

109 lines (92 loc) · 6.06 KB

CNAPPgoat Scenarios Repository

CNAPPGoat logo: a smiling goat with a purple cloud background

This repository provides a comprehensive collection of Pulumi scenarios utilized by CNAPPgoat, a multi-cloud, vulnerable-by-design environment deployment tool – specifically engineered to facilitate practice arenas for defenders and pentesters.

Scenario Structure

Each scenario in this repository is structured with a Pulumi.yaml file and a main.go file, go.mod and go.sum files should also be included in the scenario.

The Project File: `Pulumi.yaml

The Pulumi.yaml file is a project file in Pulumi and it specifies the runtime, the name of the project, its description and all parameters used by CNAPPgoat.

Here is an example of a Pulumi.yaml file:

name: ciem-aws-iam-external-id-3rd-party-role
runtime: go
description: The scenario creates an IAM role without an external ID parameter.
  This exposes your account to confused deputy attacks.
  To fix, include the condition "sts:ExternalId" in your
  IAM role trust policy during the creation process.
cnappgoat-params:
  description: The scenario involves the creation of an IAM role for a 3rd party without
    an external ID parameter. This flaw escalates the risk of impersonation attacks,
    especially 'confused deputy' scenarios, where rogue actors might access your account
    using the same vendor's services. To mitigate this issue, it's essential to include
    an 'External ID' in the trust policy of the IAM role, thereby adding an extra
    layer of security against potential impersonators.
  friendlyName: IAM Role Without External ID
  id: ciem-aws-iam-external-id-3rd-party-role
  module: ciem
  scenarioType: native
  platform: aws
  config:
    key: value

Let's break down this example to learn about the different fields:

  • name: The name of the scenario. This name is used by Pulumi to identify the scenario. Our naming convention is <module>-<platform>-<scenario-name-kebab-case>
  • runtime: The programming language used by the scenario, you can use whatever Pulumi supported runtime you prefer: nodejs, python, go, dotnet, java or yaml
  • description: A description of the scenario. This description is used by Pulumi to describe the scenario. Note: This description can only be up top 256 characters long!
  • cnappgoat-params: these are the parameters that CNAPPgoat uses.
    • description: A description of the scenario. This description is used by CNAPPgoat to describe the scenario. Its length is not limited
    • friendlyName: A friendly name of the scenario. This name is used by CNAPPgoat to describe the scenario. The convention for this name is Capitalized Scenario Name
    • id: The ID of the scenario. This ID is used by CNAPPgoat to identify the scenario. Our naming convention is <module>-<platform>-<scenario-name-kebab-case>
    • module: The module of the scenario. This module is used by CNAPPgoat to identify the module of the scenario. (e.g. ciem, cspm, cwpp, etc.)
    • scenarioType: The type of the scenario. All scenarios in this repository are native scenarios.
      • config: The configuration of the scenario. CNAPPgoat takes key value pairs under this yaml field and sets them as environment variables for the Pulumi program, as if you ran pulumi config set <key> <value> for each key value pair.

The Pulumi Program

In the same directory as the Pulumi.yaml file, you should put the Pulumi program. The Pulumi program is a program written in the programming language specified in the Pulumi.yaml file. This program is used by Pulumi to deploy the scenario.

Go

As of now, all scenarios in this repository are written in Go. The main.go file is the main program for the scenario. It uses the Pulumi SDK to define resources and their configurations.

In addition, when adding Go scenarios, you should also add a go.mod file and a go.sum file.

Other Best Practices

These program files are just standard Pulumi programs, so you can use the Pulumi documentation when writing them. There are a few conventions that you should follow when writing scenarios for CNAPPgoat:

  • Resource names should start with CNAPPGoat and be as descriptive as possible.
  • Tags: Whenever possible, tag resources with {"Cnappgoat": "true"}, do note that tags can be case-sensitive.
  • Output values: Whenever possible, output values that are relevant to the scenario. For now, these are not used by CNAPPgoat, but it is best practice to reflect them.
    • Region independence: Whenever possible, write scenarios in a way that they can be deployed in any region. You can look at scenarios/cwpp/aws/end-of-life-ec2 for an example of how to do this. Other than that, try to stick to the best practices and conventions of the programming language you are using.

Testing your scenario

To test your scenario, just put it into your local directory under the proper directory structure, e.g. $HOME/cnappgoat/scenarios/<module>/<platform>/<scenario-name> and run cnappgoat provision --debug <module>-<platform>-<scenario-name> to deploy it to a sandbox environment you own.

Containers and Images

To ensure security, CNAPPgoat scenarios in this repository will only used trusted images/containers or images/containers stored by the Ermetic Research team. If your scenario uses a custom container, please contact the project team.

Contact

To email the project team, contact research+cnappgoat@ermetic.com

Disclaimer

  • CNAPPGoat scenarios are provided "as is" and without any warranty or support.
  • This is a beta version. The project is still in development, so we apologize for any growing pains. We will release a stable version in the coming weeks.