This repository serves as a demonstration of a "vulnerable-by-design" AWS Cloud Development Kit (CDK) infrastructure. The primary purpose is to showcase the deployment of a containerized application within an AWS environment, emphasizing security vulnerabilities for educational purposes.
Disclaimer: This repository is intended for educational and awareness purposes only. Do not deploy this in a production environment. Be aware of the security implications associated with running vulnerable applications.
See the following architecture of the app, generated by the Diagrams library:
Before deploying the vulnerable infrastructure, ensure you have the following prerequisites:
-
Clone / Fork this repository:
git clone https://github.com/avishayil/cdk-goat.git cd cdk-goat
-
Install dependencies:
§ npm install -g aws-cdk § poetry install --no-root
Deploy the vulnerable AWS CDK infrastructure using the following steps:
# Activate virtual environment
§ source .venv/bin/activate
# Deploy AWS CDK infrastructure
§ cdk deploy
Use the helper script:
./scripts/aws_connect.sh
Tasks in the CDKGoatStack-ContainersConstructCluster2F30CE40-zVkcz3MqwUTK cluster:
0. arn:aws:ecs:eu-west-1:123456789012:task/CDKGoatStack-ContainersConstructCluster2F30CE40-zVkcz3MqwUTK/6fb6ab52095c4dd08a3031a899f04d23
Enter the task number you want to connect to: 0
Containers in the selected task:
0. backend_app
Enter the container number you want to connect to: 0
The Session Manager plugin was installed successfully. Use the AWS CLI to start a session.
Starting session with SessionId: ecs-execute-command-01948fc28b33b2fd5
root@ip-192-168-0-40:/app# your-command
Output Name | Description | Value |
---|---|---|
ClusterARN | The Amazon Resource Name (ARN) of the cluster. | <ClusterARN value> |
ApplicationLBDNS | The DNS name of the load balancer associated with the application. | <ApplicationLBDNS value> |
DBInstanceEndpoint | The endpoint of the database instance. | <DBInstanceEndpoint value> |
DBName | The name of the database. | <DBName value> |
UploadsBucketName | The name of the bucket for file uploads. | <UploadsBucketName value> |
See DVPWA
All infrastructure, third parties and code vulnerabilities are powered by Snyk scanning utilities and uploaded to GitHub Code Scanning using the SARIF format. You can explore all of the vulnerabilities here: https://github.com/avishayil/cdk-goat/security/code-scanning
If you're not forking the repository and running it in your own GitHub Actions pipeline, you can see all the vulnerabilities in the HTML reports attached as an assets to a GitHub release. For example, in version 1.0.0
here: https://github.com/avishayil/cdk-goat/releases/tag/v1.0.0
See CONTRIBUTING.md
See LICENSE.md