OWASP EKS Goat: AWS EKS Security Lab and Exploitation Guide

By /

Listen to this Post

Featured Image
The OWASP EKS Goat project has received a major documentation refresh, making lab deployment more stable and predictable. This update addresses previous issues with spinning up vulnerable EKS clusters and introduces new hardening scenarios using Kyverno, Tetragon, and GuardDuty.

πŸ“„ Updated Docs:

  • Step-by-step walkthroughs for each lab.
  • Improved teardown procedures to avoid dangling infrastructure.
  • Functional hardening scenarios with Kyverno, Tetragon, and GuardDuty.

πŸ«‚ What’s New:

  • Better AWS IAM roles and ECR configurations.
  • More reliable infrastructure lifecycle scripts.
  • Simplified onboarding for workshops and self-paced learning.
  • Working eBPF Tetragon and AWS EKS GuardDuty integration.

πŸ”— Useful Links:

You Should Know:

1. Deploying OWASP EKS Goat

To set up the vulnerable EKS cluster, use the following commands:

 Clone the repository 
git clone https://github.com/OWASP/EKS-Goat.git 
cd EKS-Goat

Initialize the lab 
./setup.sh

Verify deployment 
kubectl get pods -A

2. Hardening with Kyverno

Kyverno is a Kubernetes policy engine. Apply security policies using:

 Install Kyverno 
kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.8.0/install.yaml

Apply a sample policy 
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/require-labels/require-labels.yaml

3. Monitoring with Tetragon (eBPF)

Tetragon provides runtime security observability. Deploy it with:

helm repo add cilium https://helm.cilium.io 
helm install tetragon cilium/tetragon -n kube-system 
kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -c export-stdout -f

4. AWS GuardDuty Integration

Enable GuardDuty for EKS threat detection:

aws guardduty create-detector --enable 
aws guardduty create-ip-set --activate --format TXT --location https://example.com/malicious-ips.txt --name MaliciousIPSet

5. Teardown Lab

Clean up all resources to avoid AWS costs:

./destroy.sh

What Undercode Say:

The OWASP EKS Goat project is an excellent resource for learning Kubernetes security through offensive and defensive techniques. Key takeaways:
– Offensive Security: Exploit misconfigured EKS clusters to understand attack vectors.
– Defensive Hardening: Use Kyverno, Tetragon, and GuardDuty to secure Kubernetes.
– Automation: Infrastructure-as-Code (IaC) scripts ensure reproducible labs.

Additional Linux & AWS Commands for Security Testing:

 Check Kubernetes RBAC permissions 
kubectl auth can-i --list

Scan for vulnerable images 
trivy image <your-image>

Inspect network policies 
kubectl get networkpolicy -A

AWS EKS cluster logs 
aws eks describe-cluster --name <cluster-name> --query "cluster.logging.clusterLogging[].enabled"

Prediction:

As Kubernetes adoption grows, so will attacks targeting misconfigured clusters. Projects like OWASP EKS Goat will become essential for training security teams in cloud-native threat detection and mitigation.

Expected Output:

A fully deployed vulnerable EKS cluster with hardening mechanisms in place, ready for security testing and learning.

IT/Security Reporter URL:

Reported By: Peachycloudsecurity Owasp – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass βœ…

Join Our Cyber World:

πŸ’¬ Whatsapp | πŸ’¬ Telegram

Related Posts: