/OWASP-YouTube-2021

Deliberately vulnerable AWS resources for security assessment demos

Primary LanguagePython

Demo for OWASP DevSlop YouTube Talk: Cloud Security Tooling for the Sole Practitioner

Terraform for a vulnerable AWS environment that I use as the subject of my OWASP DevSlop talk, "Cloud Security Tooling for the Sole Practitioner".

Demo instructions

  • First, set up a sandbox AWS Account that you will throw away after this tutorial.
  • Create some admin credentials with access keys.
  • Use aws configure to set up a local credentials profile with the access keys.
    • Important: name the profile vulnerable-aws.
  • Install the prerequisite software (HomeBrew or LinuxBrew assumed):
    • make install-tf
    • make install-checkov

Setup

  • First, make sure you have the code for the Git Submodules, where we have the purposefully vulnerable AWS environments.
make update-submodule
  • Next, create the Infrastructure for the purposefully vulnerable environments
make demo-iam-vulnerable
make demo-resource-exposure
make demo-sadcloud
  • Lastly, create the Infrastructure for the Prowler demo, where we show how to run Prowler out of AWS CodeBuild as scheduled jobs.
make demo-prowler

Checkov

make checkov-filtered
make checkov-enable-all
make checkov-simple-enable-all
make checkov-simple-filtered

References

Purposefully vulnerable environments:

Documentation:

Solutions: