├── scenarios ├── cspm │ ├── aws │ │ ├── s3-unencrypted-transport │ │ │ ├── http.txt │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── lambda-env-secrets │ │ │ ├── app.zip │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── s3-public-bucket-secrets │ │ │ ├── secret.txt │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── ec2-imds-v1-enabled │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── ec2-open-public │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── ec2-secrets-expose │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── ec2-ami-public-volume │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ └── codebuild-build-secrets │ │ │ └── Pulumi.yaml │ ├── gcp │ │ ├── storage-public-bucket-secrets │ │ │ ├── CNAPPgoat-public-data.txt │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── compute-public-image-registry │ │ │ ├── Dockerfile │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── function-env-secrets │ │ │ ├── app.zip │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── compute-secrets-expose │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ └── cloudbuild-build-secrets │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ └── azure │ │ ├── unrestricted-rdp │ │ └── Pulumi.yaml │ │ ├── unrestricted-ssh │ │ └── Pulumi.yaml │ │ ├── vm-open-public │ │ └── Pulumi.yaml │ │ ├── vm-secretes-exposed │ │ └── Pulumi.yaml │ │ └── storage-account-public-network │ │ └── Pulumi.yaml ├── cwpp │ ├── aws │ │ ├── malicious-container-xmrig-on-ecr │ │ │ ├── Dockerfile │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── vulnerable-container-redis-on-ecr │ │ │ ├── Dockerfile │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── vulnerable-container-tomcat-on-ecr │ │ │ ├── Dockerfile │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── end-of-life-container-on-ecr │ │ │ ├── Dockerfile │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── vulnerable-container-jenkins-on-ecr │ │ │ ├── Dockerfile │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── vulnerable-container-log4shell-on-ecr │ │ │ ├── Dockerfile │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── vulnerable-container-thunderbird-on-ecr │ │ │ ├── Dockerfile │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── malicious-ec2-xmrig │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── end-of-life-ec2 │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── malicious-container-xmrig-on-ec2 │ │ │ └── Pulumi.yaml │ │ ├── end-of-life-container-on-ec2 │ │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-redis-on-ec2 │ │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-thunderbird-on-ec2 │ │ │ └── Pulumi.yaml │ │ ├── vulnerable-ec2-thunderbird │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── vulnerable-container-jenkins-on-ec2 │ │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-tomcat-on-ec2 │ │ │ └── Pulumi.yaml │ │ └── vulnerable-container-log4shell-on-ec2 │ │ │ └── Pulumi.yaml │ ├── azure │ │ ├── malicious-container-xmrig-on-acr │ │ │ ├── Dockerfile │ │ │ ├── Pulumi.yaml │ │ │ └── main.go │ │ ├── vulnerable-container-redis-on-acr │ │ │ ├── Dockerfile │ │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-jenkins-on-acr │ │ │ ├── Dockerfile │ │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-tomcat-on-acr │ │ │ ├── Dockerfile │ │ │ └── Pulumi.yaml │ │ ├── end-of-life-container-on-acr │ │ │ ├── Dockerfile │ │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-log4shell-on-acr │ │ │ ├── Dockerfile │ │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-thunderbird-on-acr │ │ │ ├── Dockerfile │ │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-thunderbird-on-vm │ │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-log4shell-on-vm │ │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-redis-on-vm │ │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-tomcat-on-vm │ │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-jenkins-on-vm │ │ │ └── Pulumi.yaml │ │ ├── malicious-container-xmrig-on-vm │ │ │ └── Pulumi.yaml │ │ └── end-of-life-container-on-vm │ │ │ └── Pulumi.yaml │ └── gcp │ │ ├── malicious-container-xmrig-on-artifact-registry │ │ ├── Dockerfile │ │ ├── Pulumi.yaml │ │ └── main.go │ │ ├── vulnerable-container-jenkins-on-artifact-registry │ │ ├── Dockerfile │ │ ├── Pulumi.yaml │ │ └── main.go │ │ ├── vulnerable-container-redis-on-artifact-registry │ │ ├── Dockerfile │ │ ├── Pulumi.yaml │ │ └── main.go │ │ ├── vulnerable-container-tomcat-on-artifact-registry │ │ ├── Dockerfile │ │ ├── Pulumi.yaml │ │ └── main.go │ │ ├── end-of-life-container-on-artifact-registry │ │ ├── Dockerfile │ │ ├── Pulumi.yaml │ │ └── main.go │ │ ├── vulnerable-container-log4shell-on-artifact-registry │ │ ├── Dockerfile │ │ ├── Pulumi.yaml │ │ └── main.go │ │ ├── vulnerable-container-thunderbird-on-artifact-registry │ │ ├── Dockerfile │ │ ├── Pulumi.yaml │ │ └── main.go │ │ ├── vulnerable-container-thunderbird-on-vm │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-log4shell-on-vm │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-redis-on-vm │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-tomcat-on-vm │ │ └── Pulumi.yaml │ │ ├── vulnerable-container-jenkins-on-vm │ │ └── Pulumi.yaml │ │ ├── malicious-container-xmrig-on-vm │ │ └── Pulumi.yaml │ │ └── end-of-life-container-on-vm │ │ └── Pulumi.yaml ├── dspm │ ├── aws │ │ ├── s3-organization-storage-pci-sqllite │ │ │ ├── data │ │ │ │ └── pci_card_data_mix.db │ │ │ └── Pulumi.yaml │ │ ├── s3-organization-storage-pci-data │ │ │ ├── data │ │ │ │ └── pci_card_data_visa.parquet │ │ │ └── Pulumi.yaml │ │ ├── s3-organization-storage-sensitive-data-compression │ │ │ └── data │ │ │ │ ├── 1 │ │ │ │ └── pii_basic.zip │ │ │ │ └── 2 │ │ │ │ └── pci_card_data_mix_level3.zip │ │ ├── s3-organization-storage-sensitive-data-iso │ │ │ ├── data │ │ │ │ └── 1 │ │ │ │ │ ├── pci_card_data_mix.iso │ │ │ │ │ └── phi_nhs_fda_ndc.iso │ │ │ └── Pulumi.yaml │ │ ├── s3-public-storage-pii-data-password-hash │ │ │ └── data │ │ │ │ └── 2 │ │ │ │ └── pii_basic_with_pw.xlsx │ │ ├── s3-organization-storage-pii-data-password-hash │ │ │ └── data │ │ │ │ └── 2 │ │ │ │ └── pii_basic_with_pw.xlsx │ │ ├── s3-organization-storage-sensitive-data-parquet │ │ │ ├── data │ │ │ │ └── 1 │ │ │ │ │ ├── phi_nhs_fda_ndc.parquet │ │ │ │ │ ├── pci_card_data_visa.parquet │ │ │ │ │ └── pii_basic_with_pw.parquet │ │ │ └── Pulumi.yaml │ │ ├── s3-organization-storage-private-public-key │ │ │ └── data │ │ │ │ ├── 1 │ │ │ │ └── cnappgoatPrivateKey.pem │ │ │ │ └── 2 │ │ │ │ └── cnappgoatCertificate.pem │ │ ├── s3-public-storage-phi-data │ │ │ └── Pulumi.yaml │ │ ├── s3-public-storage-basic-pii-data │ │ │ └── Pulumi.yaml │ │ ├── s3-account-storage-basic-pii-data │ │ │ └── Pulumi.yaml │ │ ├── s3-organization-storage-phi-data │ │ │ └── Pulumi.yaml │ │ └── s3-organization-storage-basic-pii-data │ │ │ └── Pulumi.yaml │ └── azure │ │ ├── blob-container-account-storage-pci-sqllite │ │ ├── data │ │ │ └── pci_card_data_mix.db │ │ └── Pulumi.yaml │ │ ├── blob-container-account-storage-pci-data │ │ ├── data │ │ │ └── pci_card_data_visa.parquet │ │ └── Pulumi.yaml │ │ ├── blob-container-account-storage-sensitive-data-iso │ │ ├── data │ │ │ └── 1 │ │ │ │ ├── phi_nhs_fda_ndc.iso │ │ │ │ └── pci_card_data_mix.iso │ │ └── Pulumi.yaml │ │ ├── blob-container-account-storage-sensitive-data-compression │ │ └── data │ │ │ ├── 1 │ │ │ └── pii_basic.zip │ │ │ └── 2 │ │ │ └── pci_card_data_mix_level3.zip │ │ ├── blob-container-account-storage-pii-data-password-hash │ │ └── data │ │ │ └── 2 │ │ │ └── pii_basic_with_pw.xlsx │ │ ├── blob-container-account-storage-sensitive-data-parquet │ │ ├── data │ │ │ └── 1 │ │ │ │ ├── phi_nhs_fda_ndc.parquet │ │ │ │ ├── pii_basic_with_pw.parquet │ │ │ │ └── pci_card_data_visa.parquet │ │ └── Pulumi.yaml │ │ ├── blob-container-account-storage-private-public-key │ │ └── data │ │ │ ├── 1 │ │ │ └── cnappgoatPrivateKey.pem │ │ │ └── 2 │ │ │ └── cnappgoatCertificate.pem │ │ ├── blob-container-account-storage-phi-data │ │ └── Pulumi.yaml │ │ └── blob-container-account-storage-basic-pii-data │ │ └── Pulumi.yaml └── ciem │ └── aws │ ├── iam-new-privileged-user │ ├── Pulumi.yaml │ └── main.go │ ├── iam-new-privileged-role │ ├── Pulumi.yaml │ └── main.go │ ├── public-ecr-repository │ ├── Pulumi.yaml │ └── main.go │ ├── iam-overprivileged-role │ ├── Pulumi.yaml │ ├── lambda │ │ └── index.js │ └── main.go │ ├── iam-overprivileged-user │ ├── Pulumi.yaml │ └── lambda │ │ └── index.js │ ├── iam-overprivileged-group │ ├── Pulumi.yaml │ └── lambda │ │ └── index.js │ ├── iam-weak-password │ ├── Pulumi.yaml │ └── main.go │ ├── iam-user-mfa-not-enabled │ ├── main.go │ └── Pulumi.yaml │ ├── iam-privesc-ec2-passrole │ ├── Pulumi.yaml │ └── main.go │ ├── iam-external-id-3rd-party-role │ ├── Pulumi.yaml │ └── main.go │ ├── iam-public-role │ ├── Pulumi.yaml │ └── main.go │ └── codebuild-administrator-servicerole │ ├── Pulumi.yaml │ └── main.go └── .gitignore /scenarios/cspm/aws/s3-unencrypted-transport/http.txt: -------------------------------------------------------------------------------- 1 | data -------------------------------------------------------------------------------- /scenarios/cspm/gcp/storage-public-bucket-secrets/CNAPPgoat-public-data.txt: -------------------------------------------------------------------------------- 1 | My public data is here.. -------------------------------------------------------------------------------- /scenarios/cspm/gcp/compute-public-image-registry/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/ubuntu/ubuntu:edge 2 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/malicious-container-xmrig-on-ecr/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:xmrig_image -------------------------------------------------------------------------------- /scenarios/cwpp/azure/malicious-container-xmrig-on-acr/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:xmrig_image -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-redis-on-ecr/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:redis_image 2 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-tomcat-on-ecr/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:tomcat_image 2 | -------------------------------------------------------------------------------- /scenarios/cwpp/azure/vulnerable-container-redis-on-acr/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:redis_image 2 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/end-of-life-container-on-ecr/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:end_of_life_ubuntu2110_image -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-jenkins-on-ecr/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:jenkins_image 2 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-log4shell-on-ecr/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:log4shell_image 2 | -------------------------------------------------------------------------------- /scenarios/cwpp/azure/vulnerable-container-jenkins-on-acr/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:jenkins_image 2 | -------------------------------------------------------------------------------- /scenarios/cwpp/azure/vulnerable-container-tomcat-on-acr/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:tomcat_image 2 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/malicious-container-xmrig-on-artifact-registry/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:xmrig_image -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-thunderbird-on-ecr/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:thunderbird_image 2 | -------------------------------------------------------------------------------- /scenarios/cwpp/azure/end-of-life-container-on-acr/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:end_of_life_ubuntu2110_image -------------------------------------------------------------------------------- /scenarios/cwpp/azure/vulnerable-container-log4shell-on-acr/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:log4shell_image 2 | -------------------------------------------------------------------------------- /scenarios/cwpp/azure/vulnerable-container-thunderbird-on-acr/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:thunderbird_image 2 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-jenkins-on-artifact-registry/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:jenkins_image 2 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-redis-on-artifact-registry/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:redis_image 2 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-tomcat-on-artifact-registry/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:tomcat_image 2 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/end-of-life-container-on-artifact-registry/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:end_of_life_ubuntu2110_image -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-log4shell-on-artifact-registry/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:log4shell_image 2 | -------------------------------------------------------------------------------- /scenarios/cspm/aws/lambda-env-secrets/app.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/cspm/aws/lambda-env-secrets/app.zip -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-thunderbird-on-artifact-registry/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/i3j2g7c0/cnappgoat-images:thunderbird_image 2 | -------------------------------------------------------------------------------- /scenarios/cspm/gcp/function-env-secrets/app.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/cspm/gcp/function-env-secrets/app.zip -------------------------------------------------------------------------------- /scenarios/cspm/aws/s3-public-bucket-secrets/secret.txt: -------------------------------------------------------------------------------- 1 | aws_access_key_id = AAIAYA6A3ADAWABA5ASA 2 | aws_secret_access_key = 7AnAGALAxAYAgABA9AzAAAUA5AcAvAkA6AAA6AZA -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-pci-sqllite/data/pci_card_data_mix.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/aws/s3-organization-storage-pci-sqllite/data/pci_card_data_mix.db -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-pci-data/data/pci_card_data_visa.parquet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/aws/s3-organization-storage-pci-data/data/pci_card_data_visa.parquet -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-sensitive-data-compression/data/1/pii_basic.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/aws/s3-organization-storage-sensitive-data-compression/data/1/pii_basic.zip -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-sensitive-data-iso/data/1/pci_card_data_mix.iso: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/aws/s3-organization-storage-sensitive-data-iso/data/1/pci_card_data_mix.iso -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-sensitive-data-iso/data/1/phi_nhs_fda_ndc.iso: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/aws/s3-organization-storage-sensitive-data-iso/data/1/phi_nhs_fda_ndc.iso -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-public-storage-pii-data-password-hash/data/2/pii_basic_with_pw.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/aws/s3-public-storage-pii-data-password-hash/data/2/pii_basic_with_pw.xlsx -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-pci-sqllite/data/pci_card_data_mix.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/azure/blob-container-account-storage-pci-sqllite/data/pci_card_data_mix.db -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-pci-data/data/pci_card_data_visa.parquet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/azure/blob-container-account-storage-pci-data/data/pci_card_data_visa.parquet -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-pii-data-password-hash/data/2/pii_basic_with_pw.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/aws/s3-organization-storage-pii-data-password-hash/data/2/pii_basic_with_pw.xlsx -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-sensitive-data-parquet/data/1/phi_nhs_fda_ndc.parquet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/aws/s3-organization-storage-sensitive-data-parquet/data/1/phi_nhs_fda_ndc.parquet -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-sensitive-data-iso/data/1/phi_nhs_fda_ndc.iso: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/azure/blob-container-account-storage-sensitive-data-iso/data/1/phi_nhs_fda_ndc.iso -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-sensitive-data-parquet/data/1/pci_card_data_visa.parquet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/aws/s3-organization-storage-sensitive-data-parquet/data/1/pci_card_data_visa.parquet -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-sensitive-data-parquet/data/1/pii_basic_with_pw.parquet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/aws/s3-organization-storage-sensitive-data-parquet/data/1/pii_basic_with_pw.parquet -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-sensitive-data-compression/data/1/pii_basic.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/azure/blob-container-account-storage-sensitive-data-compression/data/1/pii_basic.zip -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-sensitive-data-iso/data/1/pci_card_data_mix.iso: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/azure/blob-container-account-storage-sensitive-data-iso/data/1/pci_card_data_mix.iso -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-sensitive-data-compression/data/2/pci_card_data_mix_level3.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/aws/s3-organization-storage-sensitive-data-compression/data/2/pci_card_data_mix_level3.zip -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-pii-data-password-hash/data/2/pii_basic_with_pw.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/azure/blob-container-account-storage-pii-data-password-hash/data/2/pii_basic_with_pw.xlsx -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-sensitive-data-parquet/data/1/phi_nhs_fda_ndc.parquet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/azure/blob-container-account-storage-sensitive-data-parquet/data/1/phi_nhs_fda_ndc.parquet -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-sensitive-data-parquet/data/1/pii_basic_with_pw.parquet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/azure/blob-container-account-storage-sensitive-data-parquet/data/1/pii_basic_with_pw.parquet -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-sensitive-data-parquet/data/1/pci_card_data_visa.parquet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/azure/blob-container-account-storage-sensitive-data-parquet/data/1/pci_card_data_visa.parquet -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-sensitive-data-compression/data/2/pci_card_data_mix_level3.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tenable/cnappgoat-scenarios/HEAD/scenarios/dspm/azure/blob-container-account-storage-sensitive-data-compression/data/2/pci_card_data_mix_level3.zip -------------------------------------------------------------------------------- /scenarios/cspm/aws/ec2-imds-v1-enabled/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: ec2-imds-v1-enabled 2 | runtime: go 3 | description: Creates a new EC2 instance with IMDSv1 enabled 4 | cnappgoat-params: 5 | module: cspm 6 | platform: aws 7 | id: cspm-aws-ec2-imds-v1-enabled 8 | friendlyName: EC2 With IMDSv1 Enabled 9 | description: Creates a new ec2 instance with IMDSv1 enabled 10 | scenarioType: native 11 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-new-privileged-user/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: iam-new-privileged-user 2 | runtime: go 3 | description: Creates a new IAM user with admin privileges. It is recommended to alert on the creation of new privileged users. 4 | cnappgoat-params: 5 | module: ciem 6 | platform: aws 7 | id: ciem-aws-iam-new-priviliged-user 8 | friendlyName: IAM User With Admin Privileges 9 | description: Creates a new IAM User and a new IAM user with admin privileges. It is recommended to alert on the creation of new privileged users. 10 | scenarioType: native 11 | -------------------------------------------------------------------------------- /scenarios/cspm/azure/unrestricted-rdp/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cspm-azure-unrestricted-rdp 2 | runtime: go 3 | description: This script sets up an Azure VNet with an NSG rule that allows unrestricted RDP access from the internet. 4 | cnappgoat-params: 5 | description: This script sets up an Azure VNet with an NSG rule that allows unrestricted RDP access from the internet. 6 | friendlyName: Azure Unrestricted RDP Access 7 | id: cspm-azure-unrestricted-rdp 8 | module: cspm 9 | scenarioType: native 10 | platform: azure 11 | config: 12 | azure-native:location: EastUS2 13 | -------------------------------------------------------------------------------- /scenarios/cspm/azure/unrestricted-ssh/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cspm-azure-unrestricted-ssh 2 | runtime: go 3 | description: This script sets up an Azure VNet with an NSG rule that allows unrestricted SSH access from the internet. 4 | cnappgoat-params: 5 | description: This script sets up an Azure VNet with an NSG rule that allows unrestricted SSH access from the internet. 6 | friendlyName: Azure Unrestricted SSH Access 7 | id: cspm-azure-unrestricted-ssh 8 | module: cspm 9 | scenarioType: native 10 | platform: azure 11 | config: 12 | azure-native:location: EastUS2 13 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-new-privileged-role/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: iam-new-privileged-role 2 | runtime: go 3 | description: Creates a new IAM Role and a new IAM role with admin privileges. It is recommended to alert on the creation of new privileged roles. 4 | cnappgoat-params: 5 | module: ciem 6 | platform: aws 7 | id: ciem-aws-iam-new-priviliged-role 8 | friendlyName: IAM Role With Admin Privileges 9 | description: Creates a new IAM Role and a new IAM role with admin privileges. It is recommended to alert on the creation of new privileged roles. 10 | scenarioType: native 11 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # If you prefer the allow list template instead of the deny list, see community template: 2 | # https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore 3 | # 4 | # Binaries for programs and plugins 5 | *.exe 6 | *.exe~ 7 | *.dll 8 | *.so 9 | *.dylib 10 | 11 | # Test binary, built with `go test -c` 12 | *.test 13 | 14 | # Output of the go coverage tool, specifically when used with LiteIDE 15 | *.out 16 | 17 | # Dependency directories (remove the comment below to include it) 18 | # vendor/ 19 | 20 | # Go workspace file 21 | go.work 22 | 23 | # macos 24 | .DS_Store -------------------------------------------------------------------------------- /scenarios/ciem/aws/public-ecr-repository/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: ciem-aws-public-ecr-repository 2 | runtime: go 3 | description: Creates a public ECR repository. It is recommended to alert on the creation of public ECR repositories, and only allow public repositories when necessary. 4 | cnappgoat-params: 5 | module: ciem 6 | platform: aws 7 | id: ciem-aws-public-ecr-repository 8 | friendlyName: Public ECR Repository 9 | description: Creates a public ECR repository. It is recommended to alert on the creation of public ECR repositories, and only allow public repositories when necessary. 10 | scenarioType: native 11 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/malicious-ec2-xmrig/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-malicious-ec2-xmrig 2 | runtime: go 3 | description: The scenario deploys an Amazon EC2 instance running XMRig miner, which 4 | enable cryptocurrency mining - a security vulnerability and resource 5 | misuse. 6 | cnappgoat-params: 7 | module: cwpp 8 | platform: aws 9 | id: cwpp-aws-malicious-ec2-xmrig 10 | friendlyName: Malicious EC2 Xmrig 11 | description: This scenario involves a deployment of a cryptocurrency mining EC2 12 | instance on AWS using XMRig. To mitigate this issue, it's recommended use a malware decetion solution. 13 | scenarioType: native 14 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-overprivileged-role/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: ciem-aws-iam-overprivileged-role 2 | runtime: go 3 | description: Creates an IAM Role with overprivileged permissions. IAM Roles should be assigned the least amount of privileges necessary to perform their intended function. 4 | cnappgoat-params: 5 | module: ciem 6 | platform: aws 7 | id: ciem-aws-iam-overprivileged-role 8 | friendlyName: IAM Role With Overprivileged Permissions 9 | description: Creates an IAM Role with overprivileged permissions. IAM Roles should be assigned the least amount of privileges necessary to perform their intended function. 10 | scenarioType: native 11 | 12 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/end-of-life-container-on-ecr/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-end-of-life-container-on-ecr 2 | runtime: go 3 | description: The scenario creates a Docker image with an outdated Ubuntu 21.10, raising 4 | security concerns. It then pushes the image to a new AWS ECR. To fix this, 5 | use a currently supported Ubuntu version. 6 | cnappgoat-params: 7 | module: cwpp 8 | platform: aws 9 | id: cwpp-aws-end-of-life-container-on-ecr 10 | friendlyName: End Of Life Container On ECR 11 | description: The scenario creates an Elastic Container Registry (ECR) and deploys 12 | a container with an outdated Ubuntu 21.10, posing potential security 13 | risks and compatibility problems. 14 | scenarioType: native 15 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/end-of-life-ec2/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-end-of-life-ec2 2 | runtime: go 3 | description: The scenario deploys an EC2 instance using Ubuntu 21.10, now an end-of-life 4 | OS posing security risks due to ceased support. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: aws 8 | id: cwpp-aws-end-of-life-ec2 9 | friendlyName: End Of Life EC2 10 | description: In the given AWS scenario, the deployment script in Go creates an EC2 11 | instance based on obsolete Ubuntu 21.10, leading to a security concern due to 12 | its end-of-life status. The problem is the use of an unsupported Ubuntu 13 | version, thus becoming susceptible to security breaches due to lack of updates. 14 | scenarioType: native 15 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-overprivileged-user/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: ciem-aws-iam-overprivileged-user 2 | runtime: go 3 | description: Creates an IAM User with overprivileged permissions. IAM Roles should be assigned the least amount of privileges necessary to perform their intended function. 4 | cnappgoat-params: 5 | module: ciem 6 | platform: aws 7 | id: ciem-aws-iam-overprivileged-user 8 | friendlyName: IAM User With Overprivileged Permissions 9 | description: Creates an IAM User with overprivileged permissions. IAM Roles should be assigned the least amount of privileges necessary to perform their intended function. The scenario does this by creating a lambda and using the user access keys (shared via secret) with it. 10 | scenarioType: native 11 | 12 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-overprivileged-group/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: ciem-aws-iam-overprivileged-group 2 | runtime: go 3 | description: Creates an IAM Group with overprivileged permissions. IAM Roles should be assigned the least amount of privileges necessary to perform their intended function. 4 | cnappgoat-params: 5 | module: ciem 6 | platform: aws 7 | id: ciem-aws-iam-overprivileged-group 8 | friendlyName: IAM Group With Overprivileged Permissions 9 | description: Creates an IAM Group with overprivileged permissions. IAM Roles should be assigned the least amount of privileges necessary to perform their intended function. The scenario does this by creating a lambda and using the group access keys (shared via secret) with it. 10 | scenarioType: native 11 | 12 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-thunderbird-on-vm/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-gcp-vulnerable-container-thunderbird-on-vm 2 | runtime: go 3 | description: This scenario creates a VM with a vulnerable Thunderbird image. 4 | To correct this, create a safe testing environment 5 | or use up-to-date, secure Thunderbird images. 6 | cnappgoat-params: 7 | module: cwpp 8 | platform: gcp 9 | id: cwpp-gcp-vulnerable-container-thunderbird-on-vm 10 | friendlyName: Vulnerable Container Thunderbird On VM (CVE-2022-1529) 11 | description: This scenario deploys a VM containing a vulnerable Thunderbird version (CVE-2022-1529) (https://nvd.nist.gov/vuln/detail/CVE-2022-1529). To remediate this, ensure Thunderbird is updated to the latest version. 12 | scenarioType: native -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-weak-password/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: ciem-aws-iam-weak-password 2 | runtime: go 3 | description: The scenario creates an IAM user with a weak password, posing a security 4 | risk due to potential brute-force attacks. To remediate this, the password policy 5 | should be updated to require a minimum length of 14 characters. 6 | cnappgoat-params: 7 | description: The scenario creates an Identity Access Management (IAM) User with 8 | a weak password, increasing vulnerability to brute-force attacks. The problem 9 | lies in IAM password policy, which should be a minimum of 14 characters for improved 10 | security. 11 | friendlyName: IAM Weak Password 12 | id: ciem-aws-iam-weak-password 13 | module: ciem 14 | scenarioType: native 15 | platform: aws 16 | -------------------------------------------------------------------------------- /scenarios/cspm/aws/ec2-open-public/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: ec2-open-public 2 | runtime: go 3 | description: This script establishes an AWS EC2 instance running a public web server 4 | on port 80, It exposes the server to any incoming traffic. To fix this issue, restrict 5 | CIDR range in the security group to known IPs, enhancing security. 6 | cnappgoat-params: 7 | description: The provided scenario establishes a new Amazon EC2 instance to host a public webserver on port 80. 8 | It enables public access to port 80, which is a security risk. To fix this issue, revise the security group settings, limiting access 9 | to known and trusted IP addresses. 10 | friendlyName: EC2 Open Public 11 | id: cspm-aws-ec2-open-public 12 | module: cspm 13 | scenarioType: native 14 | platform: aws 15 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-log4shell-on-vm/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-gcp-vulnerable-container-log4shell-on-vm 2 | runtime: go 3 | description: This scenario allows you to create a VM and load an image that contains the log4shell vulnerability. Specifically it involves the creation of a vulnerable Apache Solr. 4 | cnappgoat-params: 5 | module: cwpp 6 | platform: gcp 7 | id: cwpp-gcp-vulnerable-container-log4shell-on-vm 8 | friendlyName: Vulnerable Container Log4shell On VM (CVE-2021-44228) 9 | description: This scenario sets up a Virtual Machine hosting an image with the log4shell vulnerability (CVE-2021-44228) (https://nvd.nist.gov/vuln/detail/CVE-2021-44228). Remediation involves securing the VM post-testing including updating or removing the vulnerable image. 10 | scenarioType: native -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-redis-on-vm/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-gcp-vulnerable-container-redis-on-vm 2 | runtime: go 3 | description: This scenario creates a VM with a vulnerable Redis image. The main problem is it intentionally introduces vulnerability, 4 | leaving the system exposed. To correct this, create a safe testing environment or use up-to-date, secure Redis images. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: gcp 8 | id: cwpp-gcp-vulnerable-container-redis-on-vm 9 | friendlyName: Vulnerable Container Redis On VM (CVE-2022-0543) 10 | description: This scenario deploys a VM containing a vulnerable Redis version (CVE-2022-0543) (https://nvd.nist.gov/vuln/detail/CVE-2022-0543). To remediate this, ensure Redis is updated to the latest version. 11 | scenarioType: native -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-tomcat-on-vm/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-gcp-vulnerable-container-tomcat-on-vm 2 | runtime: go 3 | description: This scenario creates a VM with a vulnerable Tomcat image. The main problem is it intentionally introduces vulnerability, 4 | leaving the system exposed. To correct this, create a safe testing environment or use up-to-date, secure Tomcat images. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: gcp 8 | id: cwpp-gcp-vulnerable-container-tomcat-on-vm 9 | friendlyName: Vulnerable Container Tomcat On VM (CVE-2020-1938) 10 | description: This scenario deploys a VM containing a vulnerable Tomcat version (CVE-2020-1938) (https://nvd.nist.gov/vuln/detail/CVE-2020-1938). To remediate this, ensure Tomcat is updated to the latest version. 11 | scenarioType: native -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-jenkins-on-vm/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-gcp-vulnerable-container-jenkins-on-vm 2 | runtime: go 3 | description: This scenario creates a VM with a vulnerable Jenkins image. The main problem is it intentionally introduces vulnerability, 4 | leaving the system exposed. To correct this, create a safe testing environment or use up-to-date, secure Jenkins images. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: gcp 8 | id: cwpp-gcp-vulnerable-container-jenkins-on-vm 9 | friendlyName: Vulnerable Container Jenkins On VM (CVE-2021-21697) 10 | description: This scenario deploys a VM containing a vulnerable Jenkins version (CVE-2021-21697) (https://nvd.nist.gov/vuln/detail/CVE-2021-21697). To remediate this, ensure Jenkins is updated to the latest version. 11 | scenarioType: native -------------------------------------------------------------------------------- /scenarios/cwpp/azure/vulnerable-container-thunderbird-on-vm/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-azure-vulnerable-container-thunderbird-on-vm 2 | runtime: go 3 | description: This scenario creates a VM with a vulnerable Thunderbird image. 4 | To correct this, create a safe testing environment 5 | or use up-to-date, secure Thunderbird images. 6 | cnappgoat-params: 7 | module: cwpp 8 | platform: azure 9 | id: cwpp-azure-vulnerable-container-thunderbird-on-vm 10 | friendlyName: Vulnerable Container Thunderbird On VM (CVE-2022-1529) 11 | description: This scenario deploys a VM containing a vulnerable Thunderbird version (CVE-2022-1529) (https://nvd.nist.gov/vuln/detail/CVE-2022-1529). To remediate this, ensure Thunderbird is updated to the latest version. 12 | config: 13 | azure-native:location: EastUS2 14 | scenarioType: native 15 | -------------------------------------------------------------------------------- /scenarios/cspm/azure/vm-open-public/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cspm-azure-vm-open-public 2 | runtime: go 3 | description: This script establishes an Azure VM instance running a public web server 4 | on port 80. It exposes the server to any incoming traffic. To fix this issue, restrict 5 | CIDR range in the NSG to known IPs, enhancing security. 6 | cnappgoat-params: 7 | description: The provided scenario establishes a new Azure VM instance to host a public webserver on port 80. 8 | It enables public access to port 80, which is a security risk. To fix this issue, revise the NSG settings, limiting access 9 | to known and trusted IP addresses. 10 | friendlyName: VM Open Public 11 | id: cspm-azure-vm-open-public 12 | module: cspm 13 | scenarioType: native 14 | platform: azure 15 | config: 16 | azure-native:location: EastUS2 17 | -------------------------------------------------------------------------------- /scenarios/cwpp/azure/vulnerable-container-log4shell-on-acr/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-azure-vulnerable-container-log4shell-on-acr 2 | runtime: go 3 | description: This scenario allows you to create a new ACR and copy an image with vulnerable log4shell. 4 | cnappgoat-params: 5 | module: cwpp 6 | platform: azure 7 | id: cwpp-azure-vulnerable-container-log4shell-on-acr 8 | friendlyName: Vulnerable Container log4shell On ACR (CVE-2021-44228) 9 | description: This scenario creates a new ACR and copies an image with vulnerable log4shell (CVE-2021-44228) (https://nvd.nist.gov/vuln/detail/CVE-2021-44228). To address this issue, you should always ensure your container images are updated and use 10 | vulnerability scanning tools to detect and fix possible security issues swiftly. 11 | config: 12 | azure-native:location: EastUS2 13 | scenarioType: native 14 | -------------------------------------------------------------------------------- /scenarios/cwpp/azure/vulnerable-container-log4shell-on-vm/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-azure-vulnerable-container-log4shell-on-vm 2 | runtime: go 3 | description: This scenario allows you to create a VM and load an image that contains the log4shell vulnerability. Specifically it involves the creation of a vulnerable Apache Solr. 4 | cnappgoat-params: 5 | module: cwpp 6 | platform: azure 7 | id: cwpp-azure-vulnerable-container-log4shell-on-vm 8 | friendlyName: Vulnerable Container Log4shell On VM (CVE-2021-44228) 9 | description: This scenario sets up a Virtual Machine hosting an image with the log4shell vulnerability (CVE-2021-44228) (https://nvd.nist.gov/vuln/detail/CVE-2021-44228). Remediation involves securing the VM post-testing including updating or removing the vulnerable image. 10 | config: 11 | azure-native:location: EastUS2 12 | scenarioType: native 13 | -------------------------------------------------------------------------------- /scenarios/cwpp/azure/vulnerable-container-redis-on-vm/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-azure-vulnerable-container-redis-on-vm 2 | runtime: go 3 | description: This scenario creates a VM with a vulnerable Redis image. The main problem is it intentionally introduces vulnerability, 4 | leaving the system exposed. To correct this, create a safe testing environment or use up-to-date, secure Redis images. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: azure 8 | id: cwpp-azure-vulnerable-container-redis-on-vm 9 | friendlyName: Vulnerable Container Redis On VM (CVE-2022-0543) 10 | description: This scenario deploys a VM containing a vulnerable Redis version (CVE-2022-0543) (https://nvd.nist.gov/vuln/detail/CVE-2022-0543). To remediate this, ensure Redis is updated to the latest version. 11 | config: 12 | azure-native:location: EastUS2 13 | scenarioType: native 14 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-overprivileged-role/lambda/index.js: -------------------------------------------------------------------------------- 1 | const AWS = require('aws-sdk'); 2 | 3 | exports.handler = async function(event, context) { 4 | console.log("Received event: ", event); 5 | 6 | // Parse the BucketName from the event 7 | const bucketName = event.BucketName; 8 | 9 | const s3 = new AWS.S3(); 10 | // List all buckets 11 | const buckets = await s3.listBuckets().promise(); 12 | 13 | // List the bucket 14 | const data = await s3.listObjectsV2({ 15 | Bucket: bucketName 16 | }).promise(); 17 | // Get bucket public access block 18 | const publicAccessBlock = await s3.getPublicAccessBlock({ 19 | Bucket: bucketName 20 | }).promise(); 21 | console.log("Public access block: ", publicAccessBlock) 22 | console.log("Buckets: ", buckets); 23 | console.log("Bucket contents: ", data); 24 | } 25 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/malicious-container-xmrig-on-ec2/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-malicious-container-xmrig-on-ec2 2 | runtime: go 3 | description: The scenario deploys an EC2 instance housing an XMRig container 4 | this is a cryptominer. To resolve this, terminate the machine. To detect cryptominer installs, 5 | deploy a malware detection engine on your environment. 6 | cnappgoat-params: 7 | module: cwpp 8 | platform: aws 9 | id: cwpp-aws-malicious-container-xmrig-on-ec2 10 | friendlyName: Malicious Container Xmrig On EC2 11 | description: The scenario features an Amazon EC2 instance creation, with an embedded 12 | malicious XMRig docker container. It poses a problem by deploying the XMRig mining software that utilizes computing 13 | resources unapproved. For remediation, deploy a malware detection engine on your environment. 14 | scenarioType: native 15 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-user-mfa-not-enabled/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam" 5 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 6 | ) 7 | 8 | func main() { 9 | pulumi.Run(func(ctx *pulumi.Context) error { 10 | // Create an IAM user without MFA enabled and with a login profile 11 | user, err := iam.NewUser(ctx, "user", &iam.UserArgs{ 12 | Tags: pulumi.StringMap{ 13 | "Cnappgoat": pulumi.String("true"), 14 | }, 15 | }) 16 | 17 | if err != nil { 18 | return err 19 | } 20 | // Create an IAM login profile for the user 21 | _, err = iam.NewUserLoginProfile(ctx, "loginProfile", &iam.UserLoginProfileArgs{ 22 | User: user.Name, 23 | PasswordLength: pulumi.Int(20), 24 | }) 25 | ctx.Export("userName", user.Name) 26 | ctx.Export("userArn", user.Arn) 27 | return nil 28 | }) 29 | } 30 | -------------------------------------------------------------------------------- /scenarios/cwpp/azure/vulnerable-container-tomcat-on-vm/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-azure-vulnerable-container-tomcat-on-vm 2 | runtime: go 3 | description: This scenario creates a VM with a vulnerable Tomcat image. The main problem is it intentionally introduces vulnerability, 4 | leaving the system exposed. To correct this, create a safe testing environment or use up-to-date, secure Tomcat images. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: azure 8 | id: cwpp-azure-vulnerable-container-tomcat-on-vm 9 | friendlyName: Vulnerable Container Tomcat On VM (CVE-2020-1938) 10 | description: This scenario deploys a VM containing a vulnerable Tomcat version (CVE-2020-1938) (https://nvd.nist.gov/vuln/detail/CVE-2020-1938). To remediate this, ensure Tomcat is updated to the latest version. 11 | 12 | config: 13 | azure-native:location: EastUS2 14 | scenarioType: native 15 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-log4shell-on-artifact-registry/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-gcp-vulnerable-container-log4shell-on-artifact-registry 2 | runtime: go 3 | description: This scenario allows you to create a new artifact registry and copy an image with vulnerable log4shell. 4 | cnappgoat-params: 5 | module: cwpp 6 | platform: gcp 7 | id: cwpp-gcp-vulnerable-container-log4shell-on-artifact-registry 8 | friendlyName: Vulnerable Container log4shell On Artifact Registry (CVE-2021-44228) 9 | description: This scenario creates a new artifact registry and copies an image with vulnerable log4shell (CVE-2021-44228) (https://nvd.nist.gov/vuln/detail/CVE-2021-44228). To address this issue, you should always ensure your container images are updated and use 10 | vulnerability scanning tools to detect and fix possible security issues swiftly. 11 | scenarioType: native -------------------------------------------------------------------------------- /scenarios/cwpp/azure/vulnerable-container-jenkins-on-vm/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-azure-vulnerable-container-jenkins-on-vm 2 | runtime: go 3 | description: This scenario creates a VM with a vulnerable Jenkins image. The main problem is it intentionally introduces vulnerability, 4 | leaving the system exposed. To correct this, create a safe testing environment or use up-to-date, secure Jenkins images. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: azure 8 | id: cwpp-azure-vulnerable-container-jenkins-on-vm 9 | friendlyName: Vulnerable Container Jenkins On VM (CVE-2021-21697) 10 | description: This scenario deploys a VM containing a vulnerable Jenkins version (CVE-2021-21697) (https://nvd.nist.gov/vuln/detail/CVE-2021-21697). To remediate this, ensure Jenkins is updated to the latest version. 11 | config: 12 | azure-native:location: EastUS2 13 | scenarioType: native 14 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/end-of-life-container-on-ec2/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-end-of-life-container-on-ec2 2 | runtime: go 3 | description: This scenario deploys an AWS EC2 instance with an outdated Ubuntu 21.10 container, resulting in a security risk due to a lack of updates and patches. Remediation involves updating the container's base image to a current, supported version. 4 | cnappgoat-params: 5 | module: cwpp 6 | platform: aws 7 | id: cwpp-aws-end-of-life-container-on-ec2 8 | friendlyName: End of Life Container On EC2 9 | description: The script deploys an EC2 instance running an EOL Ubuntu 21.10 within 10 | a Docker container. This poses a security issue as the EOL operating system version 11 | doesn't receive updates or patches, leaving it vulnerable. Fix this by updating 12 | the Docker container to use the most recent and supported Ubuntu version. 13 | scenarioType: native 14 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/end-of-life-container-on-artifact-registry/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-gcp-end-of-life-container-on-artifact-registry 2 | runtime: go 3 | description: This scenario creates an Artifact Registry in GCP and uploads a dated OS image. 4 | This poses a risk as an outdated OS might have unpatched vulnerabilities. To mitigate, 5 | maintain regular monitoring to stay notified of out-of-date containers. 6 | cnappgoat-params: 7 | module: cwpp 8 | platform: gcp 9 | id: cwpp-gcp-end-of-life-container-on-artifact-registry 10 | friendlyName: End Of Life Container On Artifact Registry 11 | description: This scenario simulates an GCP Artifact Registry creation and uploading of a dated OS image. A key issue is that images with outdated OSes can pose significant 12 | security threats. The remediation strategy involves updating the system, and following secure OS practices. 13 | scenarioType: native -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/malicious-container-xmrig-on-vm/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-gcp-malicious-container-xmrig-on-vm 2 | runtime: go 3 | description: This scenario creates a VM with malware loaded (XMRig crypto miner). 4 | Resolving this requires enabling malware detection engine in your environment. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: gcp 8 | id: cwpp-gcp-malicious-container-xmrig-on-vm 9 | friendlyName: Malicious Container Xmrig On VM 10 | description: The "cwpp-gcp-malicious-container-xmrig-on-vm" scenario creates a 11 | virtual machine (VM) and loads a malicious image (crypto miner), aiming to evaluate 12 | your CNAPP solution's ability to detect harmful files. However, this approach 13 | is problematic as it exposes your organization's infrastructure to malicious threats. 14 | To mitigate this, consider deploying a malware detection engine in your environment. 15 | scenarioType: native -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-redis-on-ec2/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-vulnerable-container-redis-on-ec2 2 | runtime: go 3 | description: This scenario deploys an EC2 instance with a vulnerable Redis image, raising security risks. To resolve this, update the Redis to a secure version. 4 | cnappgoat-params: 5 | module: cwpp 6 | platform: aws 7 | id: cwpp-aws-vulnerable-container-redis-on-ec2 8 | friendlyName: Vulnerable Container Redis On EC2 (CVE-2022-0543) 9 | description: The script deploys an AWS EC2 instance with a vulnerable 10 | Redis image (CVE-2022-0543) (https://nvd.nist.gov/vuln/detail/CVE-2022-0543). The issue lies in the potential security vulnerabilities 11 | that could be exploited, thereby posing risks to the EC2's resources. To remediate 12 | this, use secure, updated, and reputable Redis images and regularly conduct vulnerability 13 | scanning and patching. 14 | scenarioType: native 15 | -------------------------------------------------------------------------------- /scenarios/cwpp/azure/end-of-life-container-on-acr/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-azure-end-of-life-container-on-acr 2 | runtime: go 3 | description: This scenario creates an Azure Container Registry 4 | and uploads a dated OS image. This poses a risk 5 | as an outdated OS might have unpatched vulnerabilities. To mitigate, 6 | maintain regular monitoring to stay notified of out-of-date containers. 7 | cnappgoat-params: 8 | module: cwpp 9 | platform: azure 10 | id: cwpp-azure-end-of-life-container-on-acr 11 | friendlyName: End Of Life Container On ACR 12 | description: This scenario simulates an Azure Container Registry creation and uploading of a dated OS image. A key issue is that images with outdated OSes can pose significant 13 | security threats. The remediation strategy involves updating the system, and following secure OS practices. 14 | config: 15 | azure-native:location: EastUS2 16 | scenarioType: native 17 | -------------------------------------------------------------------------------- /scenarios/cspm/aws/ec2-secrets-expose/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: ec2-secrets-expose 2 | runtime: go 3 | description: The scenario creates a new EC2 instance secrets in user data. 4 | Remediation involves securely managing these secrets, preferably through AWS Secrets 5 | Manager. 6 | cnappgoat-params: 7 | description: The scenario creates a new EC2 instance suing Pulumi, with sensitive 8 | information ("mysecretpassword1231") in the user data. The issue is that placing 9 | secrets in the user data presents a major security risk, as this data is not encrypted 10 | and can be easily accessed. To solve the problem, secrets should be stored securely 11 | using AWS Secrets Manager or AWS Parameter Store, allowing the EC2 instance to 12 | retrieve them securely when needed. 13 | friendlyName: EC2 With Secrets Embedded 14 | id: cspm-aws-ec2-secrets-expose 15 | module: cspm 16 | scenarioType: native 17 | platform: aws 18 | -------------------------------------------------------------------------------- /scenarios/cspm/azure/vm-secretes-exposed/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: vm-secrets-expose 2 | runtime: go 3 | description: The scenario creates a new Azure VM instance with secrets in custom data. 4 | Remediation involves securely managing these secrets, preferably through Azure Key Vault. 5 | cnappgoat-params: 6 | description: The scenario creates a new Azure VM instance using Pulumi, with sensitive 7 | information ("mysecretpassword1231") in the custom data. The issue is that placing 8 | secrets in the custom data presents a major security risk, as this data is not encrypted 9 | and can be easily accessed. To solve the problem, secrets should be stored securely 10 | using Azure Key Vault, allowing the VM to retrieve them securely when needed. 11 | friendlyName: VM With Secrets Embedded 12 | id: cspm-azure-vm-secrets-expose 13 | module: cspm 14 | scenarioType: native 15 | platform: azure 16 | config: 17 | azure-native:location: EastUS2 18 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-thunderbird-on-ec2/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-vulnerable-container-thunderbird-on-ec2 2 | runtime: go 3 | description: This scenario deploys an AWS EC2 instance with a vulnerable Thunderbird 4 | package, leading to potential security risks. To mitigate this, update the Thunderbird 5 | package or use safer alternatives. 6 | cnappgoat-params: 7 | module: cwpp 8 | platform: aws 9 | id: cwpp-aws-vulnerable-container-thunderbird-on-ec2 10 | friendlyName: Vulnerable Container Thunderbird On EC2 (CVE-2022-1529) 11 | description: The script generates an AWS EC2 instance using a vulnerable Thunderbird 12 | package (CVE-2022-1529) (https://nvd.nist.gov/vuln/detail/CVE-2022-1529), risking system exploitation. The vulnerability arises from the script's 13 | image, containing a potentially exploitable Thunderbird package. To fix this, 14 | incorporate an update of the Thunderbird package to the latest version. 15 | scenarioType: native 16 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-redis-on-ecr/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-vulnerable-container-redis-on-ecr 2 | runtime: go 3 | description: This scenario creates an ECR, hosting a container with a vulnerable 4 | Redis version, raising security risks. Mitigation requires regular Redis image updates. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: aws 8 | id: cwpp-aws-vulnerable-container-redis-on-ecr 9 | friendlyName: Vulnerable Container Redis On ECR (CVE-2022-0543) 10 | description: The scenario involves creating an Amazon Elastic Container 11 | Registry (ECR) containing a Redis container with a vulnerability (CVE-2022-0543) (https://nvd.nist.gov/vuln/detail/CVE-2022-0543), making it susceptible 12 | to threats. The issue lies with the outdated, compromised Redis version. To resolve 13 | this, one should update Redis to a current, secure version, which would bolster 14 | the ECR's security and overall deployment integrity. 15 | scenarioType: native 16 | -------------------------------------------------------------------------------- /scenarios/cwpp/azure/malicious-container-xmrig-on-vm/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-azure-malicious-container-xmrig-on-vm 2 | runtime: go 3 | description: This scenario creates a VM with malware loaded (XMRig crypto miner). 4 | Resolving this requires enabling malware detection engine in your environment. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: azure 8 | id: cwpp-azure-malicious-container-xmrig-on-vm 9 | friendlyName: Malicious Container Xmrig On VM 10 | description: The "cwpp-azure-malicious-container-xmrig-on-vm" scenario creates a 11 | virtual machine (VM) and loads a malicious image (crypto miner), aiming to evaluate 12 | your CNAPP solution's ability to detect harmful files. However, this approach 13 | is problematic as it exposes your organization's infrastructure to malicious threats. 14 | To mitigate this, consider deploying a malware detection engine in your environment. 15 | config: 16 | azure-native:location: EastUS2 17 | scenarioType: native 18 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/end-of-life-container-on-vm/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-gcp-end-of-life-container-on-vm 2 | runtime: go 3 | description: This scenario loads an End-of-life operating system. To fix this issue, 4 | Update the OS to a version currently maintained. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: gcp 8 | id: cwpp-gcp-end-of-life-container-on-vm 9 | friendlyName: End Of Life Container On VM 10 | description: This scenario enables creation of a VM with an out-of-date OS, specifically Ubuntu 21.10, to test if the CNAPP solution generates 11 | alerts for deprecated OS versions. The issue with this scenario is the intentional 12 | use of an out-of-date OS which exposes the system to vulnerabilities and lacks 13 | updates or support. To remediate this, refrain from using deprecated operating 14 | system versions and ensure the OS image used for any VM creation is up-to-date 15 | and receives regular security patches. 16 | scenarioType: native -------------------------------------------------------------------------------- /scenarios/cspm/aws/s3-unencrypted-transport/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: s3-unencrypted-transport 2 | runtime: go 3 | description: The scenario deploys an S3 bucket via Pulumi and allows unencrypted HTTP 4 | access, posing a security risk. The problem can be remediated by modifying the bucket 5 | policy to enforce encrypted HTTPS connections. 6 | cnappgoat-params: 7 | description: The scenario involves the creation of a new S3 bucket that tolerates 8 | unencrypted http access. A problem arises with this scenario as it poses potential 9 | security threats due to the lack of encryption for the file being uploaded to 10 | the bucket. Possible data breaches can be prevented by ensuring the use of encrypted 11 | HTTPS access instead of unencrypted HTTP, thereby enhancing the security and integrity 12 | of the data transferred. 13 | friendlyName: S3 With Unencrypted Access 14 | id: cspm-aws-s3-unencrypted-transport 15 | module: cspm 16 | scenarioType: native 17 | platform: aws 18 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-ec2-thunderbird/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-vulnerable-ec2-thunderbird 2 | runtime: go 3 | description: The script sets up an AWS EC2 instance with an insecure Thunderbird package, 4 | potentially exposing it to security risks. This issue can be resolved by regularly 5 | updating all installed packages to their latest versions. 6 | cnappgoat-params: 7 | module: cwpp 8 | platform: aws 9 | id: cwpp-aws-vulnerable-ec2-thunderbird 10 | friendlyName: Vulnerable EC2 Thunderbird (CVE-2022-1529) 11 | description: The given scenario deploys an EC2 instance on AWS using Pulumi AWS 12 | SDK, installing an insecure Thunderbird package (CVE-2022-1529) (https://nvd.nist.gov/vuln/detail/CVE-2022-1529) directly from the Amazon Linux 13 | repository. This poses a security threat as it makes the system vulnerable. To 14 | fix it, ensure that the Thunderbird package is up-to-date before installation, 15 | or opt for a safer alternative. 16 | scenarioType: native 17 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-privesc-ec2-passrole/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: ciem-aws-iam-privesc-ec2-passrole 2 | runtime: go 3 | description: The scenario creates an IAM role with EC2 passrole permissions which 4 | could lead to unauthorized access. To remediate, restrict the permissions to 5 | the necessary resources only. 6 | cnappgoat-params: 7 | description: The scenario deployed by the code creates an IAM role with EC2 and 8 | passrole permissions. The issue is that it lacks restrictions, specifically in 9 | the role policy where it allows 'ec2:RunInstances' and 'iam:PassRole' on all resources. 10 | This could potentially grant malicious users too much access. A remediation would 11 | be to enforce a stringent policy, narrowing down the resources the role has access 12 | to, thereby reducing the permissions to necessary ones only. 13 | friendlyName: IAM Role With EC2 Passrole Permissions 14 | id: ciem-aws-iam-privesc-ec2-passrole 15 | module: ciem 16 | scenarioType: native 17 | platform: aws 18 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-jenkins-on-ec2/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-vulnerable-container-jenkins-on-ec2 2 | runtime: go 3 | description: The scenario deploys a vulnerable Jenkins image on EC2 instance, creating a security risk. Fix this by ensuring your Jenkins installation 4 | is fully up-to-date or switch to an image with recent security patches. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: aws 8 | id: cwpp-aws-vulnerable-container-jenkins-on-ec2 9 | friendlyName: Vulnerable Container Jenkins On EC2 (CVE-2021-21697) 10 | description: In this scenario, a script deploys an insecure Jenkins instance in 11 | AWS, using an EC2 instance and vulnerable Docker image (CVE-2021-21697) (https://nvd.nist.gov/vuln/detail/CVE-2021-21697). The issue here is that 12 | known vulnerabilities in the image can expose the Jenkins instance to attacks. 13 | A remedy for this problem is to substitute the problematic Jenkins image with 14 | a secure and updated version. 15 | scenarioType: native 16 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-tomcat-on-ec2/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-vulnerable-container-tomcat-on-ec2 2 | runtime: go 3 | description: The script deploys an EC2 instance and a vulnerable Tomcat image, posing 4 | a security risk. 5 | We can fix the problem by updating the image with a secure and updated version of 6 | Tomcat. 7 | cnappgoat-params: 8 | module: cwpp 9 | platform: aws 10 | id: cwpp-aws-vulnerable-container-tomcat-on-ec2 11 | friendlyName: Vulnerable Container Tomcat On EC2 (CVE-2020-1938) 12 | description: The script configures and deploys an AWS EC2 instance running Docker 13 | with a vulnerable Tomcat server (CVE-2020-1938) (https://nvd.nist.gov/vuln/detail/CVE-2020-1938). The issue lies in the deployment 14 | of a compromised Tomcat server, posing a high risk of exploitation. For resolving 15 | this issue, replace the problematic Tomcat image with an updated, secure version 16 | or install the necessary patches to address known vulnerabilities. 17 | scenarioType: native 18 | -------------------------------------------------------------------------------- /scenarios/cwpp/azure/vulnerable-container-redis-on-acr/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-azure-vulnerable-container-redis-on-acr 2 | runtime: go 3 | description: This scenario creates an ACR and uploads a vulnerable Redis image. Issues arise from vulnerable images in the ACR. Remediation includes deleting the vulnerable 4 | images and uploading secure ones. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: azure 8 | id: cwpp-azure-vulnerable-container-redis-on-acr 9 | friendlyName: Vulnerable Container Redis On ACR (CVE-2022-0543) 10 | description: this scenario creates a new Azure Container Registry (ACR) and copies a vulnerable Redis 11 | image onto it (CVE-2022-0543) (https://nvd.nist.gov/vuln/detail/CVE-2022-0543). The problem lies in the strategic placement of a compromised 12 | container, which could lead to potential security issues. To resolve these issues, 13 | it's important to maintain updated, non-vulnerable images in ACR. 14 | config: 15 | azure-native:location: EastUS2 16 | scenarioType: native 17 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/malicious-container-xmrig-on-artifact-registry/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-gcp-malicious-container-xmrig-on-artifact-registry 2 | runtime: go 3 | description: This scenario creates an GCP Artifact Registry laden with a 4 | malicious xmrig miner image. Its flaw lies in facilitating harmful image distribution. 5 | Mitigation involves detect and alert about such malicious images. 6 | cnappgoat-params: 7 | module: cwpp 8 | platform: gcp 9 | id: cwpp-gcp-malicious-container-xmrig-on-artifact-registry 10 | friendlyName: Malicious Container Xmrig On Artifact Registry 11 | description: This scenario creates an Artifact Registry on GCP 12 | hosting a malicious xmrig miner image. The issue lies in its unsecured 13 | copy, leaving your environment vulnerable to malware. It recommends strengthening your 14 | CNAPP defenses against such security threats. Remediation involves the deployment 15 | of robust intrusion detection systems to proactively identify any suspicious activity. 16 | scenarioType: native -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-tomcat-on-artifact-registry/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-gcp-vulnerable-container-tomcat-on-artifact-registry 2 | runtime: go 3 | description: This scenario creates an artifact registry and uploads a vulnerable Tomcat image. Issues arise from vulnerable images in the registry. Remediation includes deleting the vulnerable 4 | images and uploading secure ones. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: gcp 8 | id: cwpp-gcp-vulnerable-container-tomcat-on-artifact-registry 9 | friendlyName: Vulnerable Container Tomcat On Artifact Registry (CVE-2020-1938) 10 | description: this scenario creates a new Artifcat Registry in GCP and copies a vulnerable Tomcat 11 | image onto it (CVE-2020-1938) (https://nvd.nist.gov/vuln/detail/CVE-2020-1938). The problem lies in the strategic placement of a compromised 12 | container, which could lead to potential security issues. To resolve these issues, 13 | it's important to maintain updated, non-vulnerable images. 14 | scenarioType: native -------------------------------------------------------------------------------- /scenarios/cwpp/azure/vulnerable-container-tomcat-on-acr/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-azure-vulnerable-container-tomcat-on-acr 2 | runtime: go 3 | description: This scenario creates an ACR and uploads a vulnerable Tomcat image. Issues arise from vulnerable images in the ACR. Remediation includes deleting the vulnerable 4 | images and uploading secure ones. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: azure 8 | id: cwpp-azure-vulnerable-container-tomcat-on-acr 9 | friendlyName: Vulnerable Container Tomcat On ACR (CVE-2020-1938) 10 | description: this scenario creates a new Azure Container Registry (ACR) and copies a vulnerable Tomcat 11 | image onto it (CVE-2020-1938) (https://nvd.nist.gov/vuln/detail/CVE-2020-1938). The problem lies in the strategic placement of a compromised 12 | container, which could lead to potential security issues. To resolve these issues, 13 | it's important to maintain updated, non-vulnerable images in ACR. 14 | config: 15 | azure-native:location: EastUS2 16 | scenarioType: native 17 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-redis-on-artifact-registry/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-gcp-vulnerable-container-redis-on-artifact-registry 2 | runtime: go 3 | description: This scenario creates an artifact registry and uploads a vulnerable Redis image. Issues arise from vulnerable images in the artifact registry. Remediation includes deleting the vulnerable 4 | images and uploading secure ones. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: gcp 8 | id: cwpp-gcp-vulnerable-container-redis-on-artifact-registry 9 | friendlyName: Vulnerable Container Redis On Artifact Registry (CVE-2022-0543) 10 | description: this scenario creates a new Artifact Registry on GCP and copies a vulnerable Redis 11 | image onto it (CVE-2022-0543) (https://nvd.nist.gov/vuln/detail/CVE-2022-0543). The problem lies in the strategic placement of a compromised 12 | container, which could lead to potential security issues. To resolve these issues, 13 | it's important to maintain updated, non-vulnerable images. 14 | scenarioType: native -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-user-mfa-not-enabled/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: ciem-aws-iam-user-mfa-not-enabled 2 | runtime: go 3 | description: This scenario creates an AWS IAM user with console access, but without 4 | Multi-Factor Authentication (MFA) enabled, posing a security risk. To remediate, 5 | modify the script to include enabling MFA while creating the user profile. 6 | cnappgoat-params: 7 | description: This scenario creates an AWS Identity and Access Management (IAM) user 8 | without Multi-Factor Authentication (MFA) and a login profile, using Pulumi's 9 | AWS and SDK libraries. The issue with this is it does not follow security best 10 | practices as IAM users with console access should have MFA enabled for security 11 | reasons. To remedy this situation, the program should be modified to include steps 12 | for enabling MFA during or after the user creation process. 13 | friendlyName: User MFA Not Enabled 14 | id: ciem-aws-iam-user-mfa-not-enabled 15 | module: ciem 16 | scenarioType: native 17 | platform: aws 18 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-jenkins-on-ecr/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-vulnerable-container-jenkins-on-ecr 2 | runtime: go 3 | description: The scenario deploys an Elastic Container Registry (ECR) with a vulnerable Jenkins image. Fix it by switching to a secure, updated 4 | Jenkins container. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: aws 8 | id: cwpp-aws-vulnerable-container-jenkins-on-ecr 9 | friendlyName: Vulnerable Container Jenkins On ECR (CVE-2021-21697) 10 | description: The scenario's operation involves deploying an Elastic Container Registry 11 | (ECR) with a vulnerable Jenkins container (CVE-2021-21697) (https://nvd.nist.gov/vuln/detail/CVE-2021-21697). Its problem originates 12 | from the potential security risks posed by the vulnerable Jenkins container, exposing 13 | the system to cyber threats. The remediation requires using an updated, fully 14 | patched Jenkins container, thereby minimizing the threat to the containerized 15 | apps it oversees. 16 | scenarioType: native 17 | -------------------------------------------------------------------------------- /scenarios/cspm/gcp/storage-public-bucket-secrets/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cspm-gcp-public-bucket-secrets-storage 2 | runtime: go 3 | description: This scenario deploys a public bucket with secrets in it, since this public bucket is accesible by anyone, the secrets 4 | can be easily leaked and abused for unauthorized access. 5 | cnappgoat-params: 6 | description: In the presented scenario, a storage bucket is made public, containing sensitive secrets. 7 | This openly accessible configuration poses a substantial risk. Secrets, when exposed, can be exploited by malicious actors leading to 8 | unauthorized system penetrations and potential data breaches. It's imperative to enforce robust access controls, regularly audit access 9 | logs, and use encryption measures. 10 | Keeping data security at the forefront can prevent unwanted exposures and the repercussions that follow. 11 | friendlyName: Public Bucket With Secrets Inside 12 | id: cspm-gcp-public-bucket-secrets-storage 13 | module: cspm 14 | scenarioType: native 15 | platform: gcp -------------------------------------------------------------------------------- /scenarios/cwpp/azure/vulnerable-container-jenkins-on-acr/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-azure-vulnerable-container-jenkins-on-acr 2 | runtime: go 3 | description: This scenario creates an ACR and uploads a vulnerable Jenkins image. Issues arise from vulnerable images in the ACR. Remediation includes deleting the vulnerable 4 | images and uploading secure ones. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: azure 8 | id: cwpp-azure-vulnerable-container-jenkins-on-acr 9 | friendlyName: Vulnerable Container Jenkins On ACR (CVE-2021-21697) 10 | description: this scenario creates a new Azure Container Registry (ACR) and copies a vulnerable Jenkins 11 | image onto it (CVE-2021-21697) (https://nvd.nist.gov/vuln/detail/CVE-2021-21697). The problem lies in the strategic placement of a compromised 12 | container, which could lead to potential security issues. To resolve these issues, 13 | it's important to maintain updated, non-vulnerable images in ACR. 14 | config: 15 | azure-native:location: EastUS2 16 | scenarioType: native 17 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-jenkins-on-artifact-registry/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-gcp-vulnerable-container-jenkins-on-artifact-registry 2 | runtime: go 3 | description: This scenario creates an artifact registry and uploads a vulnerable jenkins image. Issues arise from vulnerable images in the artifact registry. Remediation includes deleting the vulnerable 4 | images and uploading secure ones. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: gcp 8 | id: cwpp-gcp-vulnerable-container-jenkins-on-artifact-registry 9 | friendlyName: Vulnerable Container jenkins On Artifact Registry (CVE-2021-21697) 10 | description: this scenario creates a new Artifact Registry on GCP and copies a vulnerable jenkins 11 | image onto it (CVE-2021-21697) (https://nvd.nist.gov/vuln/detail/CVE-2021-21697). The problem lies in the strategic placement of a compromised 12 | container, which could lead to potential security issues. To resolve these issues, 13 | it's important to maintain updated, non-vulnerable images. 14 | scenarioType: native -------------------------------------------------------------------------------- /scenarios/cwpp/azure/end-of-life-container-on-vm/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-azure-end-of-life-container-on-vm 2 | runtime: go 3 | description: This scenario loads an End-of-life operating system. To fix this issue, 4 | Update the OS to a version currently maintained. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: azure 8 | id: cwpp-azure-end-of-life-container-on-vm 9 | friendlyName: End Of Life Container On VM 10 | description: This scenario enables creation of a VM with an out-of-date OS, specifically Ubuntu 21.10, to test if the CNAPP solution generates 11 | alerts for deprecated OS versions. The issue with this scenario is the intentional 12 | use of an out-of-date OS which exposes the system to vulnerabilities and lacks 13 | updates or support. To remediate this, refrain from using deprecated operating 14 | system versions and ensure the OS image used for any VM creation is up-to-date 15 | and receives regular security patches. 16 | config: 17 | azure-native:location: EastUS2 18 | scenarioType: native 19 | -------------------------------------------------------------------------------- /scenarios/cspm/aws/s3-public-bucket-secrets/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: s3-public-bucket-secrets 2 | runtime: go 3 | description: The scenario deploys a script that creates an AWS S3 bucket with public 4 | read access which exposes secrets. To remediate this, modify the bucket policy 5 | to restrict public access and refrain from storing confidential files. 6 | cnappgoat-params: 7 | description: This scenario involves deploying an S3 public bucket with confidential 8 | data. The code creates a bucket and sets it to public, making the contained secrets easily accessible, which is a significant security 9 | risk. To remediate the issue, consider activating the BlockPublicAcls, BlockPublicPolicy, 10 | IgnorePublicAcls, and RestrictPublicBuckets parameters, ensuring that bucket policies 11 | restrict unnecessary access, and the stored secrets are protected from unwarranted 12 | public exposure. 13 | friendlyName: Public S3 With Secrets 14 | id: cspm-aws-s3-public-bucket-secrets 15 | module: cspm 16 | scenarioType: native 17 | platform: aws 18 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-log4shell-on-ec2/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-vulnerable-container-log4shell-on-ec2 2 | runtime: go 3 | description: The scenario involves deploying an EC2 instance with a Log4shell-vulnerable 4 | container. The flaw rests with the use of a compromised Log4shell image, raising 5 | great security concerns. To correct this, replace the vulnerability-filled Log4shell 6 | image. 7 | cnappgoat-params: 8 | description: The given file deploys an Amazon EC2 instance equipped with a Docker that has a Log4Shell vulnerability (CVE-2021-44228) (https://nvd.nist.gov/vuln/detail/CVE-2021-44228), a severe JVM exploit risk. Unauthorized system access and data breaches may occur due to this vulnerability. To solve the problem, patch the Docker to eliminate the vulnerability, or refrain from using containers with known vulnerabilities. 9 | module: cwpp 10 | platform: aws 11 | id: cwpp-aws-vulnerable-container-log4shell-on-ec2 12 | friendlyName: Vulnerable Container Log4shell On EC2 (CVE-2021-44228) 13 | scenarioType: native 14 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-thunderbird-on-artifact-registry/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-gcp-vulnerable-container-thunderbird-on-artifact-registry 2 | runtime: go 3 | description: This scenario creates an artifact registry and uploads a vulnerable thunderbird image. Issues arise from vulnerable images in the registry. Remediation includes deleting the vulnerable 4 | images and uploading secure ones. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: gcp 8 | id: cwpp-gcp-vulnerable-container-thunderbird-on-artifact-registry 9 | friendlyName: Vulnerable Container Thunderbird On Artifact Registry (CVE-2022-1529) 10 | description: this scenario creates a new Artifact Registry in GCP and copies a vulnerable Thunderbird 11 | image onto it (CVE-2022-1529) (https://nvd.nist.gov/vuln/detail/CVE-2022-1529). The problem lies in the strategic placement of a compromised 12 | container, which could lead to potential security issues. To resolve these issues, 13 | it's important to maintain updated, non-vulnerable images. 14 | scenarioType: native -------------------------------------------------------------------------------- /scenarios/cspm/aws/ec2-ami-public-volume/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: ec2-ami-public-volume 2 | runtime: go 3 | description: This scenario generates an EBS volume and a related snapshot, which is registered 4 | as a public AMI. The issue lies in AMI's public status, resulting in potential unauthorized 5 | access. To rectify, modify the script to create a private AMI. 6 | cnappgoat-params: 7 | description: The program creates a new Elastic Block Store (EBS) volume, takes its 8 | snapshot and registers that snapshot as a public Amazon Machine Image (AMI). 9 | However, the problem in doing so is that public AMIs might pose 10 | serious security risks as they can be accessed by anyone. To remediate the problem, 11 | restrict AMI's access to specific people or groups, or avoid making it public. 12 | Modify the 'ec2.AmiLaunchPermissionArgs' to limit the AMI availability to specific 13 | groups or individuals. 14 | friendlyName: EC2 Public AMI 15 | id: cspm-aws-ec2-ami-public-volume 16 | module: cspm 17 | scenarioType: native 18 | platform: aws 19 | -------------------------------------------------------------------------------- /scenarios/cspm/gcp/compute-secrets-expose/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cspm-gcp-secrets-expose-compute 2 | runtime: go 3 | description: This scenario deploys a compute instance in GCE and stores secrets in its metadata start-up script. These secrets can be 4 | potentially leaked and unauthorized access to arbitrary services can occur. 5 | cnappgoat-params: 6 | description: In this situation, a compute instance is deployed on GCE, with secrets embedded directly within its metadata start-up 7 | script. Such an approach poses notable vulnerabilities. If these secrets are exposed, they become a gateway for malicious entities to 8 | gain unauthorized entry into various services. It's crucial to adopt encrypted storage solutions, implement stringent access controls, 9 | and regularly monitor activity logs. 10 | Diligent management of secrets can significantly mitigate the associated risks and safeguard systems. 11 | friendlyName: Compute With Secrets Exposed 12 | id: cspm-gcp-secrets-expose-compute 13 | module: cspm 14 | scenarioType: native 15 | platform: gcp -------------------------------------------------------------------------------- /scenarios/cwpp/azure/malicious-container-xmrig-on-acr/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-azure-malicious-container-xmrig-on-acr 2 | runtime: go 3 | description: This scenario creates an Azure Container Registry (ACR) laden with a 4 | malicious xmrig miner image. Its flaw lies in facilitating harmful image distribution. 5 | Mitigation involves detect and alert about such malicious images. 6 | cnappgoat-params: 7 | module: cwpp 8 | platform: azure 9 | id: cwpp-azure-malicious-container-xmrig-on-acr 10 | friendlyName: Malicious Container Xmrig On ACR 11 | description: This scenario tcreates an Azure Container Registry 12 | (ACR) hosting a malicious xmrig miner image. The issue lies in its unsecured 13 | copy, leaving your ACR vulnerable to malware. It recommends strengthening your 14 | CNAPP defenses against such security threats. Remediation involves the deployment 15 | of robust intrusion detection systems to proactively identify any suspicious activity from the ACR. 16 | config: 17 | azure-native:location: EastUS2 18 | scenarioType: native 19 | -------------------------------------------------------------------------------- /scenarios/cwpp/azure/vulnerable-container-thunderbird-on-acr/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-azure-vulnerable-container-thunderbird-on-acr 2 | runtime: go 3 | description: This scenario creates an ACR and uploads a vulnerable thunderbird image. Issues arise from vulnerable images in the ACR. Remediation includes deleting the vulnerable 4 | images and uploading secure ones. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: azure 8 | id: cwpp-azure-vulnerable-container-thunderbird-on-acr 9 | friendlyName: Vulnerable Container Thunderbird On ACR (CVE-2022-1529) 10 | description: this scenario creates a new Azure Container Registry (ACR) and copies a vulnerable Thunderbird 11 | image onto it (CVE-2022-1529) (https://nvd.nist.gov/vuln/detail/CVE-2022-1529). The problem lies in the strategic placement of a compromised 12 | container, which could lead to potential security issues. To resolve these issues, 13 | it's important to maintain updated, non-vulnerable images in ACR. 14 | config: 15 | azure-native:location: EastUS2 16 | scenarioType: native 17 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-external-id-3rd-party-role/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: ciem-aws-iam-external-id-3rd-party-role 2 | runtime: go 3 | description: The scenario creates an IAM role without an external ID parameter. 4 | This exposes your account to confused deputy attacks. 5 | To fix, include the condition "sts:ExternalId" in your 6 | IAM role trust policy during the creation process. 7 | cnappgoat-params: 8 | description: The scenario involves the creation of an IAM role for a 3rd party without 9 | an external ID parameter. This flaw escalates the risk of impersonation attacks, 10 | especially 'confused deputy' scenarios, where rogue actors might access your account 11 | using the same vendor's services. To mitigate this issue, it's essential to include 12 | an 'External ID' in the trust policy of the IAM role, thereby adding an extra 13 | layer of security against potential impersonators. 14 | friendlyName: IAM Role Without External ID 15 | id: ciem-aws-iam-external-id-3rd-party-role 16 | module: ciem 17 | scenarioType: native 18 | platform: aws 19 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-overprivileged-user/lambda/index.js: -------------------------------------------------------------------------------- 1 | const AWS = require('aws-sdk'); 2 | 3 | exports.handler = async function(event, context) { 4 | const secretsmanager = new AWS.SecretsManager(); 5 | const secretId = event.SecretId; 6 | const bucketName = event.BucketName; 7 | const accessKeyId = event.AccessKeyId; 8 | console.log(`SecretId: ${secretId}`); 9 | console.log(`BucketName: ${bucketName}`); 10 | console.log(`AccessKeyId: ${accessKeyId}`); 11 | 12 | try { 13 | const data = await secretsmanager.getSecretValue({ SecretId: secretId }).promise(); 14 | console.log(data); 15 | const accessKeySecret = data.SecretString; 16 | 17 | const s3 = new AWS.S3({ 18 | accessKeyId: accessKeyId, 19 | secretAccessKey: accessKeySecret, 20 | }); 21 | 22 | const bucketContents = await s3.listObjectsV2({ 23 | Bucket: bucketName, 24 | }).promise(); 25 | 26 | console.log(bucketContents); 27 | } catch (err) { 28 | console.error(err); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-overprivileged-group/lambda/index.js: -------------------------------------------------------------------------------- 1 | const AWS = require('aws-sdk'); 2 | 3 | exports.handler = async function(event, context) { 4 | const secretsmanager = new AWS.SecretsManager(); 5 | const secretId = event.SecretId; 6 | const bucketName = event.BucketName; 7 | const accessKeyId = event.AccessKeyId; 8 | console.log(`SecretId: ${secretId}`); 9 | console.log(`BucketName: ${bucketName}`); 10 | console.log(`AccessKeyId: ${accessKeyId}`); 11 | 12 | try { 13 | const data = await secretsmanager.getSecretValue({ SecretId: secretId }).promise(); 14 | console.log(data); 15 | const accessKeySecret = data.SecretString; 16 | 17 | const s3 = new AWS.S3({ 18 | accessKeyId: accessKeyId, 19 | secretAccessKey: accessKeySecret, 20 | }); 21 | 22 | const bucketContents = await s3.listObjectsV2({ 23 | Bucket: bucketName, 24 | }).promise(); 25 | 26 | console.log(bucketContents); 27 | } catch (err) { 28 | console.error(err); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-public-role/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: ciem-aws-iam-public-role 2 | runtime: go 3 | description: The scenario deploys a public IAM role, 4 | which poses a security risk by granting access to all principals. Remedy this by 5 | restricting the Principal field in AssumeRolePolicy to specific entities instead 6 | of all. 7 | cnappgoat-params: 8 | description: The given scenario deploys a public Identity and Access Management 9 | (IAM) role using Pulumi's AWS SDK. The issue here is the potential security vulnerability, 10 | as the role configuration allows any AWS principal to assume the role, increasing 11 | the risks of unauthorized access and potentially dangerous actions. To remediate 12 | this, it's advised to implement strict access measures by defining specific principals 13 | that can assume this role and implementing necessary IAM policies, thus shoring 14 | up the security weakness in the current setup. 15 | friendlyName: IAM Public Role 16 | id: ciem-aws-iam-public-role 17 | module: ciem 18 | scenarioType: native 19 | platform: aws 20 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-thunderbird-on-ecr/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-vulnerable-container-thunderbird-on-ecr 2 | runtime: go 3 | description: The present scenario deploys an ECR hosting a container with a vulnerable 4 | Thunderbird package, causing potential security risks. Solve it by updating the 5 | package to a more secure version. 6 | cnappgoat-params: 7 | module: cwpp 8 | platform: aws 9 | id: cwpp-aws-vulnerable-container-thunderbird-on-ecr 10 | friendlyName: Vulnerable Container Thunderbird On ECR (CVE-2022-1529) 11 | description: The scenario constitutes a script creating an Elastic Container Registry 12 | (ECR) hosting a Docker container loaded with a vulnerable Thunderbird package (CVE-2022-1529) https://nvd.nist.gov/vuln/detail/CVE-2022-1529. 13 | The predicament is the risk of security violations through this vulnerable package. 14 | To fix this, the Thunderbird package needs to be updated to a secure version or 15 | substituted with a secure package before the Docker image's build and push operations. 16 | scenarioType: native 17 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-tomcat-on-ecr/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-vulnerable-container-tomcat-on-ecr 2 | runtime: go 3 | description: The script deploys a vulnerable Tomcat container in an ECR, posing security 4 | risks. Problems arise due to outdated security patches on the Tomcat container. 5 | cnappgoat-params: 6 | module: cwpp 7 | platform: aws 8 | id: cwpp-aws-vulnerable-container-tomcat-on-ecr 9 | friendlyName: Vulnerable Container Tomcat On ECR (CVE-2020-1938) 10 | description: The scenario builds an Elastic Container Repository (ECR) containing 11 | a vulnerable Tomcat version, a situation that poses security risks. The problem 12 | lies in the vulnerabilities within the Tomcat (CVE-2020-1938) (https://nvd.nist.gov/vuln/detail/CVE-2020-1938). Remedying this issue requires upgrading 13 | to a safer, newer Tomcat version and initiating a thorough security audit to find 14 | and eliminate other system weaknesses. Implementing a secure development process 15 | can help prevent potential vulnerabilities in the future. 16 | scenarioType: native 17 | -------------------------------------------------------------------------------- /scenarios/cspm/aws/s3-unencrypted-transport/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/s3" 5 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 6 | ) 7 | 8 | func main() { 9 | pulumi.Run(func(ctx *pulumi.Context) error { 10 | 11 | // Create a new S3 bucket 12 | bucket, err := s3.NewBucket(ctx, "CNAPPgoat-http-bucket", &s3.BucketArgs{ 13 | Tags: pulumi.StringMap{ 14 | "Name": pulumi.String("CNAPPgoat-http-bucket"), 15 | "Cnappgoat": pulumi.String("true"), 16 | }}, 17 | ) 18 | if err != nil { 19 | return err 20 | } 21 | 22 | // Upload a secret file to the bucket 23 | bucketObject, err := s3.NewBucketObject(ctx, "CNAPPgoat-http-data", &s3.BucketObjectArgs{ 24 | Bucket: bucket.ID(), 25 | Key: pulumi.String("CNAPPgoat-http-data"), 26 | Source: pulumi.NewFileAsset("http.txt"), 27 | ContentType: pulumi.String("text/plain"), 28 | }) 29 | if err != nil { 30 | return err 31 | } 32 | ctx.Export("CNAPPgoat-http-bucket", bucket.Arn) 33 | ctx.Export("object-key", bucketObject.Key) 34 | return nil 35 | }) 36 | } 37 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/malicious-container-xmrig-on-ecr/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-malicious-container-xmrig-on-ecr 2 | runtime: go 3 | description: The script implements an ECR container with an XMRig miner, leading 4 | to sluggish performance due to heavy resource utilization for crypto mining. to fix it, 5 | Replace XMRig with a less demanding software or adjust resource allocations 6 | cnappgoat-params: 7 | module: cwpp 8 | platform: aws 9 | id: cwpp-aws-malicious-container-xmrig-on-ecr 10 | friendlyName: Malicious Container Xmrig On ECR 11 | description: The scenario creates a container with an XMRig miner on the Elastic 12 | Container Registry (ECR), potentially misusing CPU resources for unauthorized 13 | cryptocurrency mining. This is done by creating a malicious image and uploading 14 | it to the ECR repository. Issues may occur when this image is deployed without 15 | the owner's consent. To fix this, monitor traffic for unusual patterns, strengthen 16 | access policies, and regularly scan for vulnerabilities. Avoid using public images 17 | to mitigate risk. 18 | scenarioType: native 19 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-new-privileged-user/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam" 5 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 6 | ) 7 | 8 | func main() { 9 | pulumi.Run(func(ctx *pulumi.Context) error { 10 | // Create a new IAM user with admin privileges 11 | user, err := iam.NewUser(ctx, "CNAPPGoatNewPrivilegedUser", &iam.UserArgs{ 12 | Tags: pulumi.StringMap{ 13 | "Cnappgoat": pulumi.String("true"), 14 | }, 15 | }) 16 | if err != nil { 17 | return err 18 | } 19 | // attach the admin policy to the user 20 | _, err = iam.NewUserPolicyAttachment(ctx, "CNAPPGoatNewPrivilegedUserAdminPolicy", &iam.UserPolicyAttachmentArgs{ 21 | PolicyArn: pulumi.String("arn:aws:iam::aws:policy/AdministratorAccess"), 22 | User: user.Name, 23 | }) 24 | if err != nil { 25 | return err 26 | } 27 | 28 | // create access keys for the user 29 | _, err = iam.NewAccessKey(ctx, "CNAPPGoatNewPrivilegedUserAccessKey", &iam.AccessKeyArgs{ 30 | User: user.Name, 31 | }) 32 | if err != nil { 33 | return err 34 | } 35 | return nil 36 | }) 37 | } 38 | -------------------------------------------------------------------------------- /scenarios/cspm/aws/lambda-env-secrets/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: lambda-env-secrets 2 | runtime: go 3 | description: The scenario creates a new AWS Lambda function, storing secrets 4 | as environment variables. The problem arises due to storing sensitive data in plaintext. The remediation is to use AWS 5 | Secrets Manager or similar tool to safely handle secrets. 6 | cnappgoat-params: 7 | description: The scenario in question facilitates the creation of a new Lambda function 8 | in AWS, with secrets embedded within the function's environment variables. This 9 | practice raises a security risk as the secrets, such as passwords or API keys, 10 | may be exposed or exploited. To mitigate the risk, it is recommended these secrets 11 | be stored in a secure way such as AWS Secrets Manager or using environment variables. 12 | This approach allows secrets to be decoupled from the code, enhancing security 13 | and simplifying the management of secrets. 14 | friendlyName: Lambda With Secrets As Environment Variables 15 | id: cspm-aws-lambda-env-secrets 16 | module: cspm 17 | scenarioType: native 18 | platform: aws 19 | -------------------------------------------------------------------------------- /scenarios/cspm/gcp/cloudbuild-build-secrets/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cspm-gcp-build-secrets-cloudbuild 2 | runtime: go 3 | description: This scenario deploys a Cloud Build trigger with secrets in its build script. 4 | These secrets can be potentially leaked and unauthorized access to arbitrary services can occur. 5 | cnappgoat-params: 6 | description: In this outlined scenario, a Cloud Build trigger is set into motion, containing secrets directly embedded within its build 7 | script. Such an approach inherently poses security vulnerabilities. If the build logs are not adequately protected or if the scripts 8 | are exposed, these embedded secrets become susceptible to interception. Unauthorized entities could potentially access and misuse 9 | these secrets, leading to unintended service access or even broader system compromises. 10 | Ensuring encryption, using managed secret solutions, and monitoring access are vital steps to enhance security in such deployments. 11 | friendlyName: Secrets In Cloud Build Trigger Script 12 | id: cspm-gcp-build-secrets-cloudbuild 13 | module: cspm 14 | scenarioType: native 15 | platform: gcp -------------------------------------------------------------------------------- /scenarios/cspm/gcp/function-env-secrets/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cspm-gcp-env-secrets-function 2 | runtime: go 3 | description: This scenario deploys a Cloud Function with secrets in its environment variables that can potentially leak. 4 | To mitigate this, store the secrets in a secret manager. 5 | cnappgoat-params: 6 | description: In this scenario, a Cloud Function is deployed with secrets in its environment variables, posing a significant security 7 | risk. Directly embedding secrets can lead to unintentional leaks and potential unauthorized access to critical resources. 8 | To enhance security, it's recommended to use a secret management service. 9 | By doing so, secrets are stored encrypted in a centralized location, isolated from the application code. 10 | This approach not only safeguards the secrets but also allows for better control, audit logging, and ease of rotation. 11 | Always prioritize secure handling of sensitive information. 12 | friendlyName: Secrets in Cloud Function's Environment Variables 13 | id: cspm-gcp-env-secrets-function 14 | module: cspm 15 | scenarioType: native 16 | platform: gcp -------------------------------------------------------------------------------- /scenarios/cspm/gcp/compute-public-image-registry/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cspm-gcp-public-image-registry 2 | runtime: go 3 | description: This scenario deploys a public image in artifact registry. This image can be pulled by anyone and pose a security risk 4 | through leakage of sensitive data, secrets and more. 5 | cnappgoat-params: 6 | description: In this scenario, an image is deployed in artifact registry with an attached IAM configuration setting it to be publicly 7 | readable, making it accessible to any individual or entity. 8 | Such open accessibility raises significant security concerns. The image, if not properly configured or containing embedded sensitive 9 | data, could potentially lead to the exposure of confidential information, system secrets, or other critical data. It's imperative to 10 | adopt protective measures like private repositories, scan for vulnerabilities, and strict access controls to ensure the safeguarding 11 | of the images and the embedded data. 12 | friendlyName: Public Image In Artifact Registry 13 | id: cspm-gcp-public-image-registry 14 | module: cspm 15 | scenarioType: native 16 | platform: gcp 17 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/codebuild-administrator-servicerole/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: codebuild-administrator-servicerole 2 | runtime: go 3 | description: This scenario deploys a CodeBuild machine with a highly privileged administrator 4 | role, which risks widespread access and potential misuse. To remedy this, assign 5 | the least privileged role necessary for CodeBuild function and limit its access. 6 | cnappgoat-params: 7 | description: This scenario sets up a CodeBuild machine with a highly privileged 8 | administrative service role, which implies a potential security risk due to overly 9 | broad permissions. The problem arises in the attachment of the 'AdministratorAccess' 10 | policy to the 'codeBuildRole', granting it widespread privileges. To remediate 11 | this, ensure that the IAM role for CodeBuild is assigned only the required permissions. 12 | Replace the 'AdministratorAccess' role with a more restricted policy that provides 13 | the necessary access for specific operations. 14 | friendlyName: Codebuild With Administrator Role 15 | id: ciem-aws-codebuild-administrator-servicerole 16 | module: ciem 17 | scenarioType: native 18 | platform: aws 19 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-public-role/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam" 5 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 6 | ) 7 | 8 | func main() { 9 | 10 | pulumi.Run(func(ctx *pulumi.Context) error { 11 | publicRoleName := "CnappGoatPublicIamRoleRole" 12 | role, err := iam.NewRole(ctx, publicRoleName, &iam.RoleArgs{ 13 | AssumeRolePolicy: pulumi.String(`{ 14 | "Version": "2012-10-17", 15 | "Statement": [ 16 | { 17 | "Sid": "", 18 | "Effect": "Allow", 19 | "Principal": { 20 | "AWS": "*" 21 | }, 22 | "Action": "sts:AssumeRole" 23 | } 24 | ] 25 | }`), 26 | ManagedPolicyArns: pulumi.StringArray{ 27 | pulumi.String("arn:aws:iam::aws:policy/AWSDenyAll"), 28 | }, 29 | Description: pulumi.String("This is a vulnerable role that allows anyone to assume it"), 30 | Tags: pulumi.StringMap{ 31 | "Cnappgoat": pulumi.String("true"), 32 | }, 33 | }) 34 | 35 | if err != nil { 36 | return err 37 | } 38 | 39 | ctx.Export("publicRoleName", role.Name) 40 | ctx.Export("publicRoleArn", role.Arn) 41 | return nil 42 | }) 43 | } 44 | -------------------------------------------------------------------------------- /scenarios/cspm/aws/codebuild-build-secrets/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: codebuild-build-secrets 2 | runtime: go 3 | description: The scenario deploys a codebuild project which includes 4 | sensitive data in the buildspec. To resolve this, secrets should be handled via 5 | AWS Secrets Manager or as environment variables, rather than in the buildspec. 6 | cnappgoat-params: 7 | description: The scenario given establishes a codebuild machine with secrets stored 8 | unencrypted in the buildspec file, which is a security vulnerability. The code 9 | deploys an AWS CodeBuild project and an IAM role with access to AWS services like 10 | S3 and Logs. While it seems functional, storing secrets in the clear within a 11 | buildspec is a bad practice as it exposes sensitive data. To remedy this, AWS 12 | Secrets Manager or AWS Systems Manager Parameter Store should be used to store 13 | sensitive data securely for access during builds. The secrets can then be accessed 14 | securely using the appropriate AWS SDK commands. 15 | friendlyName: Codebuild With Secrets 16 | id: cspm-aws-codebuild-build-secrets 17 | module: cspm 18 | scenarioType: native 19 | platform: aws 20 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-log4shell-on-ecr/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cwpp-aws-vulnerable-container-log4shell-on-ecr 2 | runtime: go 3 | description: This scenario deploys an Elastic Container Registry (ECR) with a container 4 | featuring a log4shell vulnerability. The concern is that this vulnerability could 5 | be exploited. Remediation requires patching or updating the log4shell within the 6 | container. 7 | cnappgoat-params: 8 | module: cwpp 9 | platform: aws 10 | id: cwpp-aws-vulnerable-container-log4shell-on-ecr 11 | friendlyName: Vulnerable Container Log4shell On ECR (CVE-2021-44228) 12 | description: The provided scenario deploys an Elastic Container Registry (ECR) with 13 | a Docker image that has a log4shell vulnerability (CVE-2021-44228) (https://nvd.nist.gov/vuln/detail/CVE-2021-44228), allowing potential system takeover 14 | by attackers. The issue stems from using an unpatched version of log4j in the 15 | Docker container. Remediation includes updating to the latest patched version 16 | of log4j or implementing security tools to identify and correct Docker image vulnerabilities 17 | prior to deployment. 18 | scenarioType: native 19 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-new-privileged-role/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws" 6 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam" 7 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 8 | ) 9 | 10 | func main() { 11 | pulumi.Run(func(ctx *pulumi.Context) error { 12 | // Get the AWS Account ID 13 | callerIdentity, err := aws.GetCallerIdentity(ctx, nil, nil) 14 | // Create an IAM Role with admin permissions 15 | assumeRolePolicyJSON := fmt.Sprintf(`{ 16 | "Version": "2012-10-17", 17 | "Statement": [ 18 | { 19 | "Effect": "Allow", 20 | "Principal": { 21 | "AWS": "arn:aws:iam::%s:root" 22 | }, 23 | "Action": "sts:AssumeRole" 24 | } 25 | ] 26 | }`, callerIdentity.AccountId) 27 | role, err := iam.NewRole(ctx, "CNAPPGoatAdminRole", &iam.RoleArgs{ 28 | AssumeRolePolicy: pulumi.String(assumeRolePolicyJSON), 29 | ManagedPolicyArns: pulumi.StringArray{ 30 | pulumi.String("arn:aws:iam::aws:policy/AdministratorAccess"), 31 | }, 32 | Tags: pulumi.StringMap{ 33 | "Cnappgoat": pulumi.String("true"), 34 | }, 35 | }) 36 | if err != nil { 37 | return err 38 | } 39 | ctx.Export("roleArn", role.Arn) 40 | return nil 41 | }) 42 | } 43 | -------------------------------------------------------------------------------- /scenarios/cspm/gcp/storage-public-bucket-secrets/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/storage" 5 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 6 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi/config" 7 | ) 8 | 9 | func main() { 10 | pulumi.Run(func(ctx *pulumi.Context) error { 11 | // Create a GCP storage bucket 12 | cfg := config.New(ctx, "gcp") 13 | gcpRegion := cfg.Require("region") 14 | 15 | bucket, err := storage.NewBucket(ctx, "cnappgoat-public-bucket", &storage.BucketArgs{ 16 | Location: pulumi.String(gcpRegion), 17 | }) 18 | if err != nil { 19 | return err 20 | } 21 | 22 | // Set the bucket to be publicly readable 23 | _, err = storage.NewBucketIAMMember(ctx, "publicRead", &storage.BucketIAMMemberArgs{ 24 | Bucket: bucket.Name, 25 | Role: pulumi.String("roles/storage.objectViewer"), 26 | Member: pulumi.String("allUsers"), 27 | }) 28 | if err != nil { 29 | return err 30 | } 31 | 32 | // Upload data to the bucket 33 | _, err = storage.NewBucketObject(ctx, "CNAPPgoat-public-data", &storage.BucketObjectArgs{ 34 | Bucket: bucket.Name, 35 | Source: pulumi.NewFileAsset("./CNAPPgoat-public-data.txt"), 36 | }) 37 | if err != nil { 38 | return err 39 | } 40 | 41 | // Export the bucket's URL 42 | ctx.Export("bucketUrl", bucket.Url) 43 | return nil 44 | }) 45 | } 46 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-privesc-ec2-passrole/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam" 5 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 6 | ) 7 | 8 | func main() { 9 | pulumi.Run(func(ctx *pulumi.Context) error { 10 | assumeRolePolicy := `{ 11 | "Version": "2012-10-17", 12 | "Statement": [ 13 | { 14 | "Action": "sts:AssumeRole", 15 | "Principal": { 16 | "Service": "ec2.amazonaws.com" 17 | }, 18 | "Effect": "Allow", 19 | "Sid": "" 20 | } 21 | ] 22 | }` 23 | 24 | rolePolicy := `{ 25 | "Version": "2012-10-17", 26 | "Statement": [ 27 | { 28 | "Effect": "Allow", 29 | "Action": "ec2:RunInstances", 30 | "Resource": "*" 31 | }, 32 | { 33 | "Effect": "Allow", 34 | "Action": "iam:PassRole", 35 | "Resource": "*" 36 | } 37 | ] 38 | }` 39 | 40 | // Create the IAM role 41 | role, err := iam.NewRole(ctx, "role", &iam.RoleArgs{ 42 | AssumeRolePolicy: pulumi.String(assumeRolePolicy), 43 | }) 44 | if err != nil { 45 | return err 46 | } 47 | 48 | // Attach the policy to the IAM role 49 | _, err = iam.NewRolePolicy(ctx, "rolePolicy", &iam.RolePolicyArgs{ 50 | Role: role.ID(), 51 | Policy: pulumi.String(rolePolicy), 52 | }) 53 | if err != nil { 54 | return err 55 | } 56 | 57 | ctx.Export("roleName", role.Name) 58 | ctx.Export("roleArn", role.Arn) 59 | return nil 60 | }) 61 | } 62 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-external-id-3rd-party-role/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam" 5 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 6 | ) 7 | 8 | func main() { 9 | pulumi.Run(func(ctx *pulumi.Context) error { 10 | // Create an IAM role that allows a 3rd party to assume it, make sure the role has a randomized postfix 11 | // so that it is unique 12 | role, err := iam.NewRole(ctx, "CnappGoatExternalIdIamRoleRole", &iam.RoleArgs{ 13 | AssumeRolePolicy: pulumi.String(`{ 14 | "Version": "2012-10-17", 15 | "Statement": [ 16 | { 17 | "Sid": "", 18 | "Effect": "Allow", 19 | "Principal": { 20 | "AWS": "arn:aws:iam::152659312504:root" 21 | }, 22 | "Action": "sts:AssumeRole" 23 | } 24 | ] 25 | }`), // This account ID is the account ID of the 3rd party for Slack EKM https://slackhq.com/dotcom/dotcom/wp-content/uploads/sites/6/2019/08/Slack-EKM-Implementation-Guide-1.pdf 26 | ManagedPolicyArns: pulumi.StringArray{ 27 | pulumi.String("arn:aws:iam::aws:policy/AWSDenyAll"), 28 | }, 29 | Description: pulumi.String("This is a vulnerable role that allows a 3rd party to assume it without an external ID"), 30 | Tags: pulumi.StringMap{ 31 | "Cnappgoat": pulumi.String("true"), 32 | }, 33 | }) 34 | if err != nil { 35 | return err 36 | } 37 | ctx.Export("roleName", role.Name) 38 | return nil 39 | }) 40 | } 41 | -------------------------------------------------------------------------------- /scenarios/cspm/gcp/cloudbuild-build-secrets/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/cloudbuild" 5 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 6 | ) 7 | 8 | func main() { 9 | pulumi.Run(func(ctx *pulumi.Context) error { 10 | var err error 11 | 12 | // Define your build step 13 | buildSteps := cloudbuild.TriggerBuildStepArray{ 14 | &cloudbuild.TriggerBuildStepArgs{ 15 | Name: pulumi.String("gcr.io/cloud-builders/docker"), 16 | Args: pulumi.StringArray{ 17 | pulumi.String("run"), 18 | pulumi.String("echo \"administrator-123151010-21.139.152.142-rdp\" >> my-rdp-creds.txt"), 19 | }, 20 | }, 21 | } 22 | 23 | // Create Cloud Build Trigger 24 | trigger, err := cloudbuild.NewTrigger(ctx, "CNAPPgoat-Cloudbuild", &cloudbuild.TriggerArgs{ 25 | TriggerTemplate: &cloudbuild.TriggerTriggerTemplateArgs{ 26 | ProjectId: pulumi.String("CNAPPgoat-gcp-project-id"), 27 | RepoName: pulumi.String("CNAPPgoat-repo-name"), 28 | BranchName: pulumi.String("CNAPPgoat-manual-trigger-branch"), // Dummy value since we're not using an automated trigger 29 | }, 30 | Build: &cloudbuild.TriggerBuildArgs{ 31 | Steps: buildSteps, 32 | }, 33 | Tags: pulumi.StringArray{ 34 | pulumi.String("Cnappgoat"), 35 | }, 36 | Disabled: pulumi.Bool(true), // Manual trigger by setting it to disabled 37 | }) 38 | if err != nil { 39 | return err 40 | } 41 | 42 | ctx.Export("CNAPPgoatCloudbuildTriggerLocation", trigger.Location) 43 | return nil 44 | }) 45 | } 46 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-weak-password/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam" 5 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 6 | "os/exec" 7 | "strings" 8 | ) 9 | 10 | func main() { 11 | pulumi.Run(func(ctx *pulumi.Context) error { 12 | // Create an IAM user without MFA enabled and with a login profile 13 | user, err := iam.NewUser(ctx, "CNAPPGoatWeakPasswordUser", &iam.UserArgs{ 14 | Tags: pulumi.StringMap{ 15 | "Cnappgoat": pulumi.String("true"), 16 | }, 17 | }) 18 | 19 | if err != nil { 20 | return err 21 | } 22 | // Create an IAM login profile for the user with the password "password" 23 | _, err = iam.NewUserLoginProfile(ctx, "loginProfile", &iam.UserLoginProfileArgs{ 24 | User: user.Name, 25 | PasswordLength: pulumi.Int(20), 26 | }) 27 | // use the CLI to change the password to "password" 28 | // We have to use the CLI because the Pulumi SDK does not support updating the password for security reasons 29 | // aws iam update-login-profile --user-name CNAPPGoatWeakPasswordUser --password password 30 | _ = user.Name.ApplyT(func(name string) (string, error) { 31 | cmd := exec.Command("aws", "iam", "update-login-profile", "--user-name", name, "--password", "password") 32 | output, err := cmd.Output() 33 | if err != nil { 34 | return "", err 35 | } 36 | return strings.TrimSpace(string(output)), nil 37 | }).(pulumi.StringOutput) 38 | 39 | ctx.Export("userName", user.Name) 40 | ctx.Export("userArn", user.Arn) 41 | return nil 42 | }) 43 | } 44 | -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-private-public-key/data/2/cnappgoatCertificate.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEFzCCAv+gAwIBAgIUb7gnVgwXQMlGMrMEgo3S3+rP+s8wDQYJKoZIhvcNAQEL 3 | BQAwgZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH 4 | DA1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKDAlDTkFQUEdvYXQxCzAJBgNVBAsMAklU 5 | MRowGAYDVQQDDBF3d3cuY25hcHBnb2F0LmNvbTEhMB8GCSqGSIb3DQEJARYSaW5m 6 | b0BjbmFwcGdvYXQuY29tMB4XDTIzMDgyMDA1MzMyMVoXDTI0MDgxOTA1MzMyMVow 7 | gZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T 8 | YW4gRnJhbmNpc2NvMRIwEAYDVQQKDAlDTkFQUEdvYXQxCzAJBgNVBAsMAklUMRow 9 | GAYDVQQDDBF3d3cuY25hcHBnb2F0LmNvbTEhMB8GCSqGSIb3DQEJARYSaW5mb0Bj 10 | bmFwcGdvYXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAziuJ 11 | bggvdy1/47ZwJnXfqGMT3aRVRKdDlDbwuJekgfghMEmdLjiYGMn9Qkf+Xsi5fYcM 12 | vdL+0nX4iQREbbWUJOqkG9C640Lq2VZV+gYApqKblbcuiAHzcqA7Zg9UoCpbxShV 13 | PWQAXSa3XlQJQUhhX8puDb7IwBmNsAM2RE+vmOEVTeMMmcthlc1Rnn1/MybO5gQM 14 | ChM0/lZHv8fdHUPbkpYQ5WJ8820wHtx6DmGaOjdxtCyb5qB88HC8P7+s9BAbIrTf 15 | XLL4rwKx9ypycoXC5SV0K1/rjjVDqDbJ6p2bnWTg8GjINrWCrEwMOU0Iqp7fRF8M 16 | Powj7o6LeAxwdUxUIQIDAQABo1MwUTAdBgNVHQ4EFgQUWERLlr0+ohuksbVKgLfu 17 | h9uK9vgwHwYDVR0jBBgwFoAUWERLlr0+ohuksbVKgLfuh9uK9vgwDwYDVR0TAQH/ 18 | BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAKi2UdIyzh/coa4Gf/qTuASnoaWoN 19 | +lfvnMbo4SEQhw+m80jL4HdCxaJS6cFj5z9Gh/yCVcrXkPBE0JZaoNegWaf8Ix43 20 | mOuWg5vXGi0T5HLwVVFO8xo8+RPP9NSfCzpDrqCfoKk/GTe/MuUjDA3FkF/ml1AV 21 | KvE7OiE1hiXWyCoCxJtIbzMmCA4ntg1c3fky1kHkxBiOFwvUUve/VBTSwZqXkUsD 22 | cckA9vuHp9ZR/N+ZWU0EgI9o37Q4hKVU6qGVmfEvG25yc/Mk9ByXp/QtRvPRqjBc 23 | uw6C5NCIysl2/dSK274W685eZbHaQS3AKkTOy4fZ8vP70nV4YZ6+mPMrtQ== 24 | -----END CERTIFICATE----- 25 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/public-ecr-repository/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ecr" 5 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 6 | ) 7 | 8 | func main() { 9 | pulumi.Run(func(ctx *pulumi.Context) error { 10 | // Create a public ECR Repository 11 | repo, err := ecr.NewRepository(ctx, "cnappgoat-public-ecr-repo", &ecr.RepositoryArgs{ 12 | ImageTagMutability: pulumi.String("MUTABLE"), 13 | ImageScanningConfiguration: &ecr.RepositoryImageScanningConfigurationArgs{ 14 | ScanOnPush: pulumi.Bool(true), 15 | }, 16 | Tags: pulumi.StringMap{ 17 | "Cnappgoat": pulumi.String("true"), 18 | }, 19 | }) 20 | 21 | // Set the repository policy 22 | _, err = ecr.NewRepositoryPolicy(ctx, "my-repo-policy", &ecr.RepositoryPolicyArgs{ 23 | Repository: repo.Name, 24 | Policy: pulumi.String(`{ 25 | "Version": "2008-10-17", 26 | "Statement": [ 27 | { 28 | "Sid": "ECR Repository Policy", 29 | "Effect": "Allow", 30 | "Principal": { 31 | "AWS": "*" 32 | }, 33 | "Action": [ 34 | "ecr:DescribeImages", 35 | "ecr:DescribeRepositories", 36 | "ecr:BatchGetImage", 37 | "ecr:GetDownloadUrlForLayer" 38 | ] 39 | } 40 | ] 41 | }`), 42 | }) 43 | if err != nil { 44 | return err 45 | } 46 | ctx.Export("ecrRepoArn", repo.Arn) 47 | return nil 48 | }) 49 | } 50 | -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-private-public-key/data/2/cnappgoatCertificate.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEFzCCAv+gAwIBAgIUb7gnVgwXQMlGMrMEgo3S3+rP+s8wDQYJKoZIhvcNAQEL 3 | BQAwgZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH 4 | DA1TYW4gRnJhbmNpc2NvMRIwEAYDVQQKDAlDTkFQUEdvYXQxCzAJBgNVBAsMAklU 5 | MRowGAYDVQQDDBF3d3cuY25hcHBnb2F0LmNvbTEhMB8GCSqGSIb3DQEJARYSaW5m 6 | b0BjbmFwcGdvYXQuY29tMB4XDTIzMDgyMDA1MzMyMVoXDTI0MDgxOTA1MzMyMVow 7 | gZoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T 8 | YW4gRnJhbmNpc2NvMRIwEAYDVQQKDAlDTkFQUEdvYXQxCzAJBgNVBAsMAklUMRow 9 | GAYDVQQDDBF3d3cuY25hcHBnb2F0LmNvbTEhMB8GCSqGSIb3DQEJARYSaW5mb0Bj 10 | bmFwcGdvYXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAziuJ 11 | bggvdy1/47ZwJnXfqGMT3aRVRKdDlDbwuJekgfghMEmdLjiYGMn9Qkf+Xsi5fYcM 12 | vdL+0nX4iQREbbWUJOqkG9C640Lq2VZV+gYApqKblbcuiAHzcqA7Zg9UoCpbxShV 13 | PWQAXSa3XlQJQUhhX8puDb7IwBmNsAM2RE+vmOEVTeMMmcthlc1Rnn1/MybO5gQM 14 | ChM0/lZHv8fdHUPbkpYQ5WJ8820wHtx6DmGaOjdxtCyb5qB88HC8P7+s9BAbIrTf 15 | XLL4rwKx9ypycoXC5SV0K1/rjjVDqDbJ6p2bnWTg8GjINrWCrEwMOU0Iqp7fRF8M 16 | Powj7o6LeAxwdUxUIQIDAQABo1MwUTAdBgNVHQ4EFgQUWERLlr0+ohuksbVKgLfu 17 | h9uK9vgwHwYDVR0jBBgwFoAUWERLlr0+ohuksbVKgLfuh9uK9vgwDwYDVR0TAQH/ 18 | BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAKi2UdIyzh/coa4Gf/qTuASnoaWoN 19 | +lfvnMbo4SEQhw+m80jL4HdCxaJS6cFj5z9Gh/yCVcrXkPBE0JZaoNegWaf8Ix43 20 | mOuWg5vXGi0T5HLwVVFO8xo8+RPP9NSfCzpDrqCfoKk/GTe/MuUjDA3FkF/ml1AV 21 | KvE7OiE1hiXWyCoCxJtIbzMmCA4ntg1c3fky1kHkxBiOFwvUUve/VBTSwZqXkUsD 22 | cckA9vuHp9ZR/N+ZWU0EgI9o37Q4hKVU6qGVmfEvG25yc/Mk9ByXp/QtRvPRqjBc 23 | uw6C5NCIysl2/dSK274W685eZbHaQS3AKkTOy4fZ8vP70nV4YZ6+mPMrtQ== 24 | -----END CERTIFICATE----- 25 | -------------------------------------------------------------------------------- /scenarios/cspm/aws/lambda-env-secrets/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam" 5 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/lambda" 6 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 7 | ) 8 | 9 | func main() { 10 | pulumi.Run(func(ctx *pulumi.Context) error { 11 | // Define your secrets 12 | secret1 := "administrator" 13 | secret2 := "123156asd!@%!#^3a" 14 | 15 | // Create IAM role for the lambda function 16 | lambdaRole, err := iam.NewRole(ctx, "CNAPPgoat-lambda-role", &iam.RoleArgs{ 17 | AssumeRolePolicy: pulumi.String(`{ 18 | "Version": "2012-10-17", 19 | "Statement": [{ 20 | "Action": "sts:AssumeRole", 21 | "Principal": { 22 | "Service": "lambda.amazonaws.com" 23 | }, 24 | "Effect": "Allow", 25 | "Sid": "" 26 | }] 27 | }`), 28 | }) 29 | if err != nil { 30 | return err 31 | } 32 | 33 | // Create Lambda function 34 | lambdaSecrets, err := lambda.NewFunction(ctx, "CNAPPgoat-lambda-env-secrets", &lambda.FunctionArgs{ 35 | Handler: pulumi.String("index.handler"), 36 | Role: lambdaRole.Arn, 37 | Runtime: pulumi.String("nodejs18.x"), 38 | Environment: &lambda.FunctionEnvironmentArgs{ 39 | Variables: pulumi.StringMap{ 40 | "username": pulumi.String(secret1), 41 | "password": pulumi.String(secret2), 42 | }, 43 | }, 44 | Code: pulumi.NewFileArchive("./app.zip"), 45 | Tags: pulumi.StringMap{ 46 | "Name": pulumi.String("CNAPPgoat-lambda-env-secrets"), 47 | "Cnappgoat": pulumi.String("true"), 48 | }, 49 | }) 50 | if err != nil { 51 | return err 52 | } 53 | ctx.Export("CNAPPgoat-lambda-role", lambdaRole.Arn) 54 | ctx.Export("CNAPPgoat-lambda-env-secrets", lambdaSecrets.Arn) 55 | return nil 56 | }) 57 | } 58 | -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-private-public-key/data/1/cnappgoatPrivateKey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpAIBAAKCAQEAziuJbggvdy1/47ZwJnXfqGMT3aRVRKdDlDbwuJekgfghMEmd 3 | LjiYGMn9Qkf+Xsi5fYcMvdL+0nX4iQREbbWUJOqkG9C640Lq2VZV+gYApqKblbcu 4 | iAHzcqA7Zg9UoCpbxShVPWQAXSa3XlQJQUhhX8puDb7IwBmNsAM2RE+vmOEVTeMM 5 | mcthlc1Rnn1/MybO5gQMChM0/lZHv8fdHUPbkpYQ5WJ8820wHtx6DmGaOjdxtCyb 6 | 5qB88HC8P7+s9BAbIrTfXLL4rwKx9ypycoXC5SV0K1/rjjVDqDbJ6p2bnWTg8GjI 7 | NrWCrEwMOU0Iqp7fRF8MPowj7o6LeAxwdUxUIQIDAQABAoIBABXd6kKgXaBvU/wr 8 | 8nMx11n9wDKm5mBUuUc0GI4Lj2g1kBeWBzTKzd77NYBdMG6PLZVRyJktktdxqb2m 9 | lTdppd/Qfz1wAxJtm4kXriDJmDIUVxonBqloQ5Dpy8MEZz5hn8Amifvr6ln27EX1 10 | 9dFVwvYs+0U78gDl9PAxNwVBymcVb6xt1tRutgB5Yy57TWadXVnNV9X20u7WMVoC 11 | NxO6VCxmBmPyM8YNba7zGD/2bSSDE2TcxvumSZjPAlbsaknJnl9vjVVOYF+958pg 12 | NToPHcoYCkUUb9t7ouSdGen+p1KGMFtGxNBclfX3clnQre0khOt3UPqZ47X7QH49 13 | JvGuuwECgYEA7+z/Gy9Fz5hO2aCqKc7BFxitgD77j98M33A0HU2vJkNgw4PnV+7Z 14 | Af1koHXqrby7d59kwpen6bElr7VYQ8btOMtKA4IDLEeRixgopVhx2AqU/ec0jOTw 15 | Ytqp7hin7Ml+uB20j/Yyh5NPoPKAn8nKwI/Aq9iDS7XOiH0bVTJwmDECgYEA2/uX 16 | VCUwcSG4OslAnDfE2WJcRJdSr6GMD7qn2th6hrsABKTkvoyxNhvXahyCX7G8pwiV 17 | eN+zLgl2nM2gV06ByYQ9ydAqC+SwHDeU1o6hMy27Ijex8jO6kg2F13iEdUs+aB2J 18 | T3MZrJgbAzAABFdKtTC5d2t9eKeSEW+hQQRobvECgYEAs3+k0CrK2OhDPbBk/ohP 19 | j78HtyXnwRiIIfZpFu9StZa9IylhADmSo1l3WlE99SN5QaK/mJIrrru4zT8oPPTr 20 | 74yv3/X597vHmL/HUQTdj1tDYr4CY9K4Qc0ESzypDY8mPgsDVp1D6oh8j5Y+Qs2O 21 | 4gfqhuaiPBdV4Glw9ImbEVECgYEAv7d4n2D54t7cTH9wy7Te3gWXHEA1U9Oa2Wp3 22 | N4dK4Xi//0wl/ttm5h1Fk7jc9sFUBM66Vem/ovOkZ+vdPbmx6wpRPz0oJ81annzi 23 | Pkt3ub61RJD9iHQEuZ0HdE4YQpEdBmgXbyKE0aKOiCyhFydseJTKToVjiG+iIYgE 24 | JUHOMkECgYAoUwxP68eOcbw6j8T3GDou7sJEe+y3UvpHKx42mIfY740RKDm02twE 25 | MSqveNDlAD4aXNhM1Krpt8R3ULfZlN4FRum0TnKuqv9A6z42Ru3uOGEYq6rjfzr4 26 | OM4r2AoM1RsXn1T4BTm4wnq5BBgK+s181likSFq4s2P5CdFLOYStOA== 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-private-public-key/data/1/cnappgoatPrivateKey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpAIBAAKCAQEAziuJbggvdy1/47ZwJnXfqGMT3aRVRKdDlDbwuJekgfghMEmd 3 | LjiYGMn9Qkf+Xsi5fYcMvdL+0nX4iQREbbWUJOqkG9C640Lq2VZV+gYApqKblbcu 4 | iAHzcqA7Zg9UoCpbxShVPWQAXSa3XlQJQUhhX8puDb7IwBmNsAM2RE+vmOEVTeMM 5 | mcthlc1Rnn1/MybO5gQMChM0/lZHv8fdHUPbkpYQ5WJ8820wHtx6DmGaOjdxtCyb 6 | 5qB88HC8P7+s9BAbIrTfXLL4rwKx9ypycoXC5SV0K1/rjjVDqDbJ6p2bnWTg8GjI 7 | NrWCrEwMOU0Iqp7fRF8MPowj7o6LeAxwdUxUIQIDAQABAoIBABXd6kKgXaBvU/wr 8 | 8nMx11n9wDKm5mBUuUc0GI4Lj2g1kBeWBzTKzd77NYBdMG6PLZVRyJktktdxqb2m 9 | lTdppd/Qfz1wAxJtm4kXriDJmDIUVxonBqloQ5Dpy8MEZz5hn8Amifvr6ln27EX1 10 | 9dFVwvYs+0U78gDl9PAxNwVBymcVb6xt1tRutgB5Yy57TWadXVnNV9X20u7WMVoC 11 | NxO6VCxmBmPyM8YNba7zGD/2bSSDE2TcxvumSZjPAlbsaknJnl9vjVVOYF+958pg 12 | NToPHcoYCkUUb9t7ouSdGen+p1KGMFtGxNBclfX3clnQre0khOt3UPqZ47X7QH49 13 | JvGuuwECgYEA7+z/Gy9Fz5hO2aCqKc7BFxitgD77j98M33A0HU2vJkNgw4PnV+7Z 14 | Af1koHXqrby7d59kwpen6bElr7VYQ8btOMtKA4IDLEeRixgopVhx2AqU/ec0jOTw 15 | Ytqp7hin7Ml+uB20j/Yyh5NPoPKAn8nKwI/Aq9iDS7XOiH0bVTJwmDECgYEA2/uX 16 | VCUwcSG4OslAnDfE2WJcRJdSr6GMD7qn2th6hrsABKTkvoyxNhvXahyCX7G8pwiV 17 | eN+zLgl2nM2gV06ByYQ9ydAqC+SwHDeU1o6hMy27Ijex8jO6kg2F13iEdUs+aB2J 18 | T3MZrJgbAzAABFdKtTC5d2t9eKeSEW+hQQRobvECgYEAs3+k0CrK2OhDPbBk/ohP 19 | j78HtyXnwRiIIfZpFu9StZa9IylhADmSo1l3WlE99SN5QaK/mJIrrru4zT8oPPTr 20 | 74yv3/X597vHmL/HUQTdj1tDYr4CY9K4Qc0ESzypDY8mPgsDVp1D6oh8j5Y+Qs2O 21 | 4gfqhuaiPBdV4Glw9ImbEVECgYEAv7d4n2D54t7cTH9wy7Te3gWXHEA1U9Oa2Wp3 22 | N4dK4Xi//0wl/ttm5h1Fk7jc9sFUBM66Vem/ovOkZ+vdPbmx6wpRPz0oJ81annzi 23 | Pkt3ub61RJD9iHQEuZ0HdE4YQpEdBmgXbyKE0aKOiCyhFydseJTKToVjiG+iIYgE 24 | JUHOMkECgYAoUwxP68eOcbw6j8T3GDou7sJEe+y3UvpHKx42mIfY740RKDm02twE 25 | MSqveNDlAD4aXNhM1Krpt8R3ULfZlN4FRum0TnKuqv9A6z42Ru3uOGEYq6rjfzr4 26 | OM4r2AoM1RsXn1T4BTm4wnq5BBgK+s181likSFq4s2P5CdFLOYStOA== 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-sensitive-data-iso/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: dspm-azure-blob-container-account-storage-sensitive-data-iso 2 | runtime: yaml 3 | description: The scenario provision Azure Blob Container containing iso files 4 | cnappgoat-params: 5 | description: | 6 | In this scenario, an Azure Blob Container within a Storage Account is set up, with access limited to the owner. 7 | It is used to store ISO files with sensitive data. The main objective is to evaluate a data security product's capacity 8 | to identify this type of data. This evaluation is crucial for determining the product's ability to detect and protect 9 | sensitive information in cloud storage services. 10 | friendlyName: Azure Blob Container with sensitive ISO files 11 | id: dspm-azure-blob-container-account-storage-sensitive-data-iso 12 | config: 13 | azure-native:location: EastUS2 14 | module: dspm 15 | scenarioType: native 16 | platform: azure 17 | 18 | resources: 19 | cnappgoatResourceGroup: 20 | type: azure-native:resources:ResourceGroup 21 | cnappgoataccount: 22 | type: azure-native:storage:StorageAccount 23 | properties: 24 | resourceGroupName: ${cnappgoatResourceGroup.name} 25 | kind: StorageV2 26 | sku: 27 | name: Standard_LRS 28 | cnappgoatcontainer: 29 | type: azure-native:storage:BlobContainer 30 | properties: 31 | resourceGroupName: ${cnappgoatResourceGroup.name} 32 | accountName: ${cnappgoataccount.name} 33 | 34 | synced-folder: 35 | type: synced-folder:index:AzureBlobFolder 36 | properties: 37 | resourceGroupName: ${cnappgoatResourceGroup.name} 38 | storageAccountName: ${cnappgoataccount.name} 39 | containerName: ${cnappgoatcontainer.name} 40 | path: ./data/1 41 | 42 | outputs: 43 | cnappgoatresourcegroup: ${cnappgoatResourceGroup.name} 44 | cnappgoatstorageaccount: ${cnappgoataccount.name} 45 | cnappgoatcontainer: ${cnappgoatcontainer.name} -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-sensitive-data-parquet/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: dspm-azure-blob-container-account-storage-sensitive-data-parquet 2 | runtime: yaml 3 | description: The scenario provision an Azure Blob Container containing parquet files 4 | cnappgoat-params: 5 | description: | 6 | In this scenario, an Azure Blob Container within a Storage Account is set up, with access limited to the owner. 7 | It is used to store parquet files with sensitive data. The main objective is to evaluate a data security product's 8 | capacity to identify this type of data. This evaluation is crucial for determining the product's ability to detect 9 | and protect sensitive information in cloud storage services. 10 | friendlyName: Azure Blob Container with sensitive parquet files 11 | id: dspm-azure-blob-container-account-storage-sensitive-data-parquet 12 | config: 13 | azure-native:location: EastUS2 14 | module: dspm 15 | scenarioType: native 16 | platform: azure 17 | 18 | resources: 19 | cnappgoatResourceGroup: 20 | type: azure-native:resources:ResourceGroup 21 | cnappgoataccount: 22 | type: azure-native:storage:StorageAccount 23 | properties: 24 | resourceGroupName: ${cnappgoatResourceGroup.name} 25 | kind: StorageV2 26 | sku: 27 | name: Standard_LRS 28 | cnappgoatcontainer: 29 | type: azure-native:storage:BlobContainer 30 | properties: 31 | resourceGroupName: ${cnappgoatResourceGroup.name} 32 | accountName: ${cnappgoataccount.name} 33 | 34 | synced-folder: 35 | type: synced-folder:index:AzureBlobFolder 36 | properties: 37 | resourceGroupName: ${cnappgoatResourceGroup.name} 38 | storageAccountName: ${cnappgoataccount.name} 39 | containerName: ${cnappgoatcontainer.name} 40 | path: ./data/1 41 | 42 | outputs: 43 | cnappgoatresourcegroup: ${cnappgoatResourceGroup.name} 44 | cnappgoatstorageaccount: ${cnappgoataccount.name} 45 | cnappgoatcontainer: ${cnappgoatcontainer.name} -------------------------------------------------------------------------------- /scenarios/cspm/aws/ec2-imds-v1-enabled/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws" 5 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ec2" 6 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 7 | ) 8 | 9 | func main() { 10 | pulumi.Run(func(ctx *pulumi.Context) error { 11 | 12 | // Create a new VPC 13 | vpc, err := ec2.NewVpc(ctx, "CNAPPgoat-ec2-imds-vpc", &ec2.VpcArgs{ 14 | CidrBlock: pulumi.String("10.0.0.0/16"), 15 | }) 16 | if err != nil { 17 | return err 18 | } 19 | 20 | // Create a new subnet 21 | subnet, err := ec2.NewSubnet(ctx, "CNAPPgoat-ec2-imds-subnet", &ec2.SubnetArgs{ 22 | VpcId: vpc.ID(), 23 | CidrBlock: pulumi.String("10.0.1.0/24"), 24 | }) 25 | if err != nil { 26 | return err 27 | } 28 | 29 | // Get the AMI 30 | mostRecent := true 31 | amiResult, err := aws.GetAmi(ctx, &aws.GetAmiArgs{ 32 | Owners: []string{"amazon"}, 33 | MostRecent: &mostRecent, 34 | Filters: []aws.GetAmiFilter{{Name: "name", Values: []string{"amzn2-ami-hvm-2.0.*-x86_64-ebs"}}}, 35 | }) 36 | if err != nil { 37 | return err 38 | } 39 | 40 | // Create an EC2 instance 41 | ec2, err := ec2.NewInstance(ctx, "CNAPPgoat-ec2-instance-imds-v1-enabled", &ec2.InstanceArgs{ 42 | Ami: pulumi.String(amiResult.Id), 43 | InstanceType: pulumi.String("t2.micro"), 44 | SubnetId: subnet.ID(), 45 | MetadataOptions: &ec2.InstanceMetadataOptionsArgs{ 46 | HttpEndpoint: pulumi.String("enabled"), 47 | HttpTokens: pulumi.String("optional"), // Enable IMDSv1 48 | }, 49 | Tags: pulumi.StringMap{ 50 | "Name": pulumi.String("CNAPPgoat-ec2-instance-imds-v1-enabled"), 51 | "Cnappgoat": pulumi.String("true"), 52 | }, 53 | }) 54 | if err != nil { 55 | return err 56 | } 57 | ctx.Export("CNAPPgoat-ec2-imds-vpc", vpc.Arn) 58 | ctx.Export("CNAPPgoat-ec2-imds-subnet", subnet.Arn) 59 | ctx.Export("CNAPPgoat-ec2-instance-imds-v1-enabled", ec2.Arn) 60 | 61 | return nil 62 | }) 63 | } 64 | -------------------------------------------------------------------------------- /scenarios/cspm/aws/ec2-secrets-expose/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws" 5 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ec2" 6 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 7 | ) 8 | 9 | func main() { 10 | pulumi.Run(func(ctx *pulumi.Context) error { 11 | 12 | // Create a new VPC 13 | vpc, err := ec2.NewVpc(ctx, "CNAPPgoat-ec2-secrets-expose-vpc", &ec2.VpcArgs{ 14 | CidrBlock: pulumi.String("10.0.0.0/16"), 15 | }) 16 | if err != nil { 17 | return err 18 | } 19 | 20 | // Create a new subnet 21 | subnet, err := ec2.NewSubnet(ctx, "CNAPPgoat-ec2-secrets-expose-subnet", &ec2.SubnetArgs{ 22 | VpcId: vpc.ID(), 23 | CidrBlock: pulumi.String("10.0.1.0/24"), 24 | }) 25 | if err != nil { 26 | return err 27 | } 28 | 29 | // Get the AMI 30 | mostRecent := true 31 | amiResult, err := aws.GetAmi(ctx, &aws.GetAmiArgs{ 32 | Owners: []string{"amazon"}, 33 | MostRecent: &mostRecent, 34 | Filters: []aws.GetAmiFilter{{Name: "name", Values: []string{"amzn2-ami-hvm-2.0.*-x86_64-ebs"}}}, 35 | }) 36 | if err != nil { 37 | return err 38 | } 39 | 40 | // Create a new EC2 instance 41 | ec2, err := ec2.NewInstance(ctx, "CNAPPgoat-ec2-secrets-expose-instance", &ec2.InstanceArgs{ 42 | InstanceType: pulumi.String("t2.micro"), 43 | AssociatePublicIpAddress: pulumi.BoolPtr(true), 44 | SubnetId: subnet.ID(), 45 | Ami: pulumi.String(amiResult.Id), 46 | UserData: pulumi.String(`#!/bin/bash 47 | mysql -u cnaappgoat -p mysecretpassword1231`), 48 | Tags: pulumi.StringMap{ 49 | "Name": pulumi.String("CNAPPgoat-ec2-secrets-expose-instance"), 50 | "Cnappgoat": pulumi.String("true"), 51 | }, 52 | }) 53 | if err != nil { 54 | return err 55 | } 56 | ctx.Export("CNAPPgoat-ec2-secrets-expose-vpc", vpc.Arn) 57 | ctx.Export("CNAPPgoat-ec2-secrets-expose-subnet", subnet.Arn) 58 | ctx.Export("CNAPPgoat-ec2-secrets-expose-instance", ec2.Arn) 59 | return nil 60 | }) 61 | } 62 | -------------------------------------------------------------------------------- /scenarios/cspm/gcp/compute-secrets-expose/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/compute" 5 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 6 | ) 7 | 8 | func main() { 9 | pulumi.Run(func(ctx *pulumi.Context) error { 10 | 11 | // Create a new Network (Equivalent to VPC in AWS) 12 | network, err := compute.NewNetwork(ctx, "cnappgoat-compute-network", &compute.NetworkArgs{}) 13 | if err != nil { 14 | return err 15 | } 16 | 17 | // Create a Subnetwork (Equivalent to Subnet in AWS) 18 | subnetwork, err := compute.NewSubnetwork(ctx, "cnappgoat-compute-subnetwork", &compute.SubnetworkArgs{ 19 | Network: network.SelfLink, 20 | IpCidrRange: pulumi.String("10.0.1.0/24"), 21 | }) 22 | if err != nil { 23 | return err 24 | } 25 | 26 | // Create a new Compute Instance 27 | instance, err := compute.NewInstance(ctx, "cnappgoat-compute-instance", &compute.InstanceArgs{ 28 | Zone: pulumi.String("us-central1-a"), 29 | MachineType: pulumi.String("f1-micro"), 30 | BootDisk: &compute.InstanceBootDiskArgs{ 31 | InitializeParams: &compute.InstanceBootDiskInitializeParamsArgs{ 32 | Image: pulumi.String("debian-cloud/debian-12"), 33 | }, 34 | }, 35 | NetworkInterfaces: compute.InstanceNetworkInterfaceArray{ 36 | &compute.InstanceNetworkInterfaceArgs{ 37 | Network: network.ID(), 38 | AccessConfigs: compute.InstanceNetworkInterfaceAccessConfigArray{ 39 | &compute.InstanceNetworkInterfaceAccessConfigArgs{}, 40 | }, 41 | }, 42 | }, 43 | MetadataStartupScript: pulumi.String(`#!/bin/bash 44 | mysql -u cnaappgoat -p mysecretpassword1231`), 45 | Tags: pulumi.StringArray{ 46 | pulumi.String("cnappgoat"), 47 | pulumi.String("compute-instance"), 48 | }, 49 | }) 50 | if err != nil { 51 | return err 52 | } 53 | ctx.Export("CNAPPgoat-compute-network", network.SelfLink) 54 | ctx.Export("CNAPPgoat-compute-subnetwork", subnetwork.SelfLink) 55 | ctx.Export("CNAPPgoat-compute-instance", instance.SelfLink) 56 | return nil 57 | }) 58 | } 59 | -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-pci-sqllite/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: dspm-azure-blob-container-account-storage-pci-sqllite 2 | runtime: yaml 3 | description: The scenario provision Blob Container thats holds an SQLite database with PCI data 4 | cnappgoat-params: 5 | description: | 6 | In this scenario, an Azure Storage Account with Blob Container, which is exclusively accessible by the organization, 7 | is established to store Payment Card Industry (PCI) data. Notably, the data is stored in an SQLite database blob within 8 | the container, as opposed to plain text. The primary goal of this setup is to simulate an Azure Blob Container holding 9 | sensitive information in a structured database format, in order to assess a data security product's ability to detect and 10 | safeguard such data. 11 | friendlyName: Azure Blob Container with with SQLite database and PCI data 12 | id: dspm-azure-blob-container-account-storage-pci-sqllite 13 | config: 14 | azure-native:location: EastUS2 15 | module: dspm 16 | scenarioType: native 17 | platform: azure 18 | 19 | resources: 20 | cnappgoatResourceGroup: 21 | type: azure-native:resources:ResourceGroup 22 | cnappgoataccount: 23 | type: azure-native:storage:StorageAccount 24 | properties: 25 | resourceGroupName: ${cnappgoatResourceGroup.name} 26 | kind: StorageV2 27 | sku: 28 | name: Standard_LRS 29 | cnappgoatcontainer: 30 | type: azure-native:storage:BlobContainer 31 | properties: 32 | resourceGroupName: ${cnappgoatResourceGroup.name} 33 | accountName: ${cnappgoataccount.name} 34 | 35 | synced-folder: 36 | type: synced-folder:index:AzureBlobFolder 37 | properties: 38 | resourceGroupName: ${cnappgoatResourceGroup.name} 39 | storageAccountName: ${cnappgoataccount.name} 40 | containerName: ${cnappgoatcontainer.name} 41 | path: ./data 42 | 43 | outputs: 44 | cnappgoatresourcegroup: ${cnappgoatResourceGroup.name} 45 | cnappgoatstorageaccount: ${cnappgoataccount.name} 46 | cnappgoatcontainer: ${cnappgoatcontainer.name} -------------------------------------------------------------------------------- /scenarios/cspm/gcp/function-env-secrets/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/cloudfunctions" 5 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/storage" 6 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 7 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi/config" 8 | ) 9 | 10 | func main() { 11 | pulumi.Run(func(ctx *pulumi.Context) error { 12 | // Define your secrets 13 | secret1 := "administrator" 14 | secret2 := "123156asd!@%!#^3a" 15 | 16 | // Create GCS Bucket to store Cloud Function source code 17 | cfg := config.New(ctx, "gcp") 18 | gcpRegion := cfg.Require("region") 19 | 20 | bucket, err := storage.NewBucket(ctx, "cnappgoat-cloudfuncbucket", &storage.BucketArgs{ 21 | Location: pulumi.String(gcpRegion), 22 | }) 23 | if err != nil { 24 | return err 25 | } 26 | 27 | // Upload data to the bucket 28 | archive, err := storage.NewBucketObject(ctx, "CNAPPgoat-public-data", &storage.BucketObjectArgs{ 29 | Bucket: bucket.Name, 30 | Source: pulumi.NewFileAsset("./app.zip"), 31 | }) 32 | if err != nil { 33 | return err 34 | } 35 | secrets := map[string]string{ 36 | "SECRET1": secret1, 37 | "SECRET2": secret2, 38 | } 39 | 40 | // Convert it to a pulumi.MapInput 41 | envVars := pulumi.Map{} 42 | for k, v := range secrets { 43 | envVars[k] = pulumi.String(v) 44 | } 45 | // Create Cloud Function with an HTTP trigger 46 | function, err := cloudfunctions.NewFunction(ctx, "CNAPPgoat-cloudfunction", &cloudfunctions.FunctionArgs{ 47 | SourceArchiveBucket: bucket.Name, 48 | Runtime: pulumi.String("nodejs14"), 49 | EntryPoint: pulumi.String("handler"), 50 | SourceArchiveObject: archive.Name, 51 | EnvironmentVariables: envVars, 52 | TriggerHttp: pulumi.Bool(true), 53 | AvailableMemoryMb: pulumi.Int(128), 54 | Region: pulumi.String("us-central1"), // specify an appropriate region 55 | }) 56 | if err != nil { 57 | return err 58 | } 59 | 60 | ctx.Export("CNAPPgoat-cloudfunction-url", function.HttpsTriggerUrl) 61 | return nil 62 | }) 63 | } 64 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/malicious-container-xmrig-on-ecr/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | import ( 3 | "encoding/base64" 4 | "fmt" 5 | "strings" 6 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ecr" 7 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 9 | ) 10 | func main() { 11 | pulumi.Run(func(ctx *pulumi.Context) error { 12 | repo, err := ecr.NewRepository(ctx, "cnappgoat-repo", &ecr.RepositoryArgs{ 13 | ForceDelete: pulumi.Bool(true), 14 | }) 15 | if err != nil { 16 | return err 17 | } 18 | 19 | // Get ECR credentials 20 | repoCreds := repo.RegistryId.ApplyT(func(rid string) ([]string, error) { 21 | creds, err := ecr.GetCredentials(ctx, &ecr.GetCredentialsArgs{ 22 | RegistryId: rid, 23 | }) 24 | if err != nil { 25 | return nil, err 26 | } 27 | data, err := base64.StdEncoding.DecodeString(creds.AuthorizationToken) 28 | if err != nil { 29 | fmt.Println("error:", err) 30 | return nil, err 31 | } 32 | return strings.Split(string(data), ":"), nil 33 | }).(pulumi.StringArrayOutput) 34 | repoUser := repoCreds.Index(pulumi.Int(0)) 35 | repoPass := repoCreds.Index(pulumi.Int(1)) 36 | 37 | // Build and push the image to the private ECR repository 38 | _, err = docker.NewImage(ctx, "malicious-xmrig", &docker.ImageArgs{ 39 | Build: &docker.DockerBuildArgs{ 40 | Context: pulumi.String("."), 41 | }, 42 | ImageName: pulumi.Sprintf("%s:%s", repo.RepositoryUrl, "malicious-xmrig"), 43 | Registry: docker.ImageRegistryArgs{ 44 | Server: repo.RepositoryUrl, 45 | Username: repoUser, 46 | Password: repoPass, 47 | }, 48 | }) 49 | if err != nil { 50 | return err 51 | } 52 | ctx.Export("repositoryUrl", repo.RepositoryUrl) 53 | return nil 54 | }) 55 | } -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-redis-on-ecr/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | import ( 3 | "encoding/base64" 4 | "fmt" 5 | "strings" 6 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ecr" 7 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 9 | ) 10 | func main() { 11 | pulumi.Run(func(ctx *pulumi.Context) error { 12 | repo, err := ecr.NewRepository(ctx, "cnappgoat-repo", &ecr.RepositoryArgs{ 13 | ForceDelete: pulumi.Bool(true), 14 | }) 15 | if err != nil { 16 | return err 17 | } 18 | 19 | // Get ECR credentials 20 | repoCreds := repo.RegistryId.ApplyT(func(rid string) ([]string, error) { 21 | creds, err := ecr.GetCredentials(ctx, &ecr.GetCredentialsArgs{ 22 | RegistryId: rid, 23 | }) 24 | if err != nil { 25 | return nil, err 26 | } 27 | data, err := base64.StdEncoding.DecodeString(creds.AuthorizationToken) 28 | if err != nil { 29 | fmt.Println("error:", err) 30 | return nil, err 31 | } 32 | return strings.Split(string(data), ":"), nil 33 | }).(pulumi.StringArrayOutput) 34 | repoUser := repoCreds.Index(pulumi.Int(0)) 35 | repoPass := repoCreds.Index(pulumi.Int(1)) 36 | 37 | // Build and push the image to the private ECR repository 38 | _, err = docker.NewImage(ctx, "vulnerable-redis", &docker.ImageArgs{ 39 | Build: &docker.DockerBuildArgs{ 40 | Context: pulumi.String("."), 41 | }, 42 | ImageName: pulumi.Sprintf("%s:%s", repo.RepositoryUrl, "vulnerable-redis"), 43 | Registry: docker.ImageRegistryArgs{ 44 | Server: repo.RepositoryUrl, 45 | Username: repoUser, 46 | Password: repoPass, 47 | }, 48 | }) 49 | if err != nil { 50 | return err 51 | } 52 | ctx.Export("repositoryUrl", repo.RepositoryUrl) 53 | return nil 54 | }) 55 | } -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-tomcat-on-ecr/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | import ( 3 | "encoding/base64" 4 | "fmt" 5 | "strings" 6 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ecr" 7 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 9 | ) 10 | func main() { 11 | pulumi.Run(func(ctx *pulumi.Context) error { 12 | repo, err := ecr.NewRepository(ctx, "cnappgoat-repo", &ecr.RepositoryArgs{ 13 | ForceDelete: pulumi.Bool(true), 14 | }) 15 | if err != nil { 16 | return err 17 | } 18 | 19 | // Get ECR credentials 20 | repoCreds := repo.RegistryId.ApplyT(func(rid string) ([]string, error) { 21 | creds, err := ecr.GetCredentials(ctx, &ecr.GetCredentialsArgs{ 22 | RegistryId: rid, 23 | }) 24 | if err != nil { 25 | return nil, err 26 | } 27 | data, err := base64.StdEncoding.DecodeString(creds.AuthorizationToken) 28 | if err != nil { 29 | fmt.Println("error:", err) 30 | return nil, err 31 | } 32 | return strings.Split(string(data), ":"), nil 33 | }).(pulumi.StringArrayOutput) 34 | repoUser := repoCreds.Index(pulumi.Int(0)) 35 | repoPass := repoCreds.Index(pulumi.Int(1)) 36 | 37 | // Build and push the image to the private ECR repository 38 | _, err = docker.NewImage(ctx, "vulnerable-tomcat", &docker.ImageArgs{ 39 | Build: &docker.DockerBuildArgs{ 40 | Context: pulumi.String("."), 41 | }, 42 | ImageName: pulumi.Sprintf("%s:%s", repo.RepositoryUrl, "vulnerable-tomcat"), 43 | Registry: docker.ImageRegistryArgs{ 44 | Server: repo.RepositoryUrl, 45 | Username: repoUser, 46 | Password: repoPass, 47 | }, 48 | }) 49 | if err != nil { 50 | return err 51 | } 52 | ctx.Export("repositoryUrl", repo.RepositoryUrl) 53 | return nil 54 | }) 55 | } -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-jenkins-on-ecr/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | import ( 3 | "encoding/base64" 4 | "fmt" 5 | "strings" 6 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ecr" 7 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 9 | ) 10 | func main() { 11 | pulumi.Run(func(ctx *pulumi.Context) error { 12 | repo, err := ecr.NewRepository(ctx, "cnappgoat-repo", &ecr.RepositoryArgs{ 13 | ForceDelete: pulumi.Bool(true), 14 | }) 15 | if err != nil { 16 | return err 17 | } 18 | 19 | // Get ECR credentials 20 | repoCreds := repo.RegistryId.ApplyT(func(rid string) ([]string, error) { 21 | creds, err := ecr.GetCredentials(ctx, &ecr.GetCredentialsArgs{ 22 | RegistryId: rid, 23 | }) 24 | if err != nil { 25 | return nil, err 26 | } 27 | data, err := base64.StdEncoding.DecodeString(creds.AuthorizationToken) 28 | if err != nil { 29 | fmt.Println("error:", err) 30 | return nil, err 31 | } 32 | return strings.Split(string(data), ":"), nil 33 | }).(pulumi.StringArrayOutput) 34 | repoUser := repoCreds.Index(pulumi.Int(0)) 35 | repoPass := repoCreds.Index(pulumi.Int(1)) 36 | 37 | // Build and push the image to the private ECR repository 38 | _, err = docker.NewImage(ctx, "vulnerable-jenkins", &docker.ImageArgs{ 39 | Build: &docker.DockerBuildArgs{ 40 | Context: pulumi.String("."), 41 | }, 42 | ImageName: pulumi.Sprintf("%s:%s", repo.RepositoryUrl, "vulnerable-jenkins"), 43 | Registry: docker.ImageRegistryArgs{ 44 | Server: repo.RepositoryUrl, 45 | Username: repoUser, 46 | Password: repoPass, 47 | }, 48 | }) 49 | if err != nil { 50 | return err 51 | } 52 | ctx.Export("repositoryUrl", repo.RepositoryUrl) 53 | return nil 54 | }) 55 | } -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-pci-data/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: dspm-azure-blob-container-account-storage-pci-data 2 | runtime: yaml 3 | description: The scenario provision an Azure Storage Account with Blob Container containing PCI data. 4 | cnappgoat-params: 5 | description: | 6 | In this scenario, an Azure Storage Account with Blob Containers, restricted to organization access only, is provisioned 7 | to store payment card industry (PCI) data. The data is maintained in two distinct blobs. The primary purpose of this 8 | scenario is to emulate an Azure Blob Container containing basic sensitive information, with the goal of testing a data 9 | security product's ability to detect such data. This assessment is crucial in evaluating the security product's 10 | effectiveness in identifying and safeguarding sensitive information housed within cloud-based storage services. 11 | friendlyName: Azure Blob Container with PCI data 12 | id: dspm-azure-blob-container-account-storage-pci-data 13 | config: 14 | azure-native:location: EastUS2 15 | module: dspm 16 | scenarioType: native 17 | platform: azure 18 | 19 | resources: 20 | cnappgoatResourceGroup: 21 | type: azure-native:resources:ResourceGroup 22 | cnappgoataccount: 23 | type: azure-native:storage:StorageAccount 24 | properties: 25 | resourceGroupName: ${cnappgoatResourceGroup.name} 26 | kind: StorageV2 27 | sku: 28 | name: Standard_LRS 29 | cnappgoatcontainer: 30 | type: azure-native:storage:BlobContainer 31 | properties: 32 | resourceGroupName: ${cnappgoatResourceGroup.name} 33 | accountName: ${cnappgoataccount.name} 34 | 35 | synced-folder: 36 | type: synced-folder:index:AzureBlobFolder 37 | properties: 38 | resourceGroupName: ${cnappgoatResourceGroup.name} 39 | storageAccountName: ${cnappgoataccount.name} 40 | containerName: ${cnappgoatcontainer.name} 41 | path: ./data 42 | 43 | outputs: 44 | cnappgoatresourcegroup: ${cnappgoatResourceGroup.name} 45 | cnappgoatstorageaccount: ${cnappgoataccount.name} 46 | cnappgoatcontainer: ${cnappgoatcontainer.name} -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-phi-data/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: dspm-azure-blob-container-account-storage-phi-data 2 | runtime: yaml 3 | description: The scenario provision an Azure Storage Account with Blob Container containing PHI data. 4 | cnappgoat-params: 5 | description: | 6 | In this scenario, an Azure Storage Account with Blob Container, restricted to owner access only, is provisioned to store 7 | protected health information (PHI) data. The data is maintained in two distinct blobs. The primary purpose of this scenario 8 | is to emulate an Azure Blob Container containing basic sensitive information, with the goal of testing a data security 9 | product's ability to detect such data. This assessment is crucial in evaluating the security product's effectiveness in 10 | identifying and safeguarding sensitive information housed within cloud-based storage services. 11 | friendlyName: Azure Blob Container with PHI data 12 | id: dspm-azure-blob-container-account-storage-phi-data 13 | config: 14 | azure-native:location: EastUS2 15 | module: dspm 16 | scenarioType: native 17 | platform: azure 18 | 19 | resources: 20 | cnappgoatResourceGroup: 21 | type: azure-native:resources:ResourceGroup 22 | cnappgoataccount: 23 | type: azure-native:storage:StorageAccount 24 | properties: 25 | resourceGroupName: ${cnappgoatResourceGroup.name} 26 | kind: StorageV2 27 | sku: 28 | name: Standard_LRS 29 | cnappgoatcontainer: 30 | type: azure-native:storage:BlobContainer 31 | properties: 32 | resourceGroupName: ${cnappgoatResourceGroup.name} 33 | accountName: ${cnappgoataccount.name} 34 | 35 | synced-folder: 36 | type: synced-folder:index:AzureBlobFolder 37 | properties: 38 | resourceGroupName: ${cnappgoatResourceGroup.name} 39 | storageAccountName: ${cnappgoataccount.name} 40 | containerName: ${cnappgoatcontainer.name} 41 | path: ./data 42 | 43 | outputs: 44 | cnappgoatresourcegroup: ${cnappgoatResourceGroup.name} 45 | cnappgoatstorageaccount: ${cnappgoataccount.name} 46 | cnappgoatcontainer: ${cnappgoatcontainer.name} -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-log4shell-on-ecr/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | import ( 3 | "encoding/base64" 4 | "fmt" 5 | "strings" 6 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ecr" 7 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 9 | ) 10 | func main() { 11 | pulumi.Run(func(ctx *pulumi.Context) error { 12 | repo, err := ecr.NewRepository(ctx, "cnappgoat-repo", &ecr.RepositoryArgs{ 13 | ForceDelete: pulumi.Bool(true), 14 | }) 15 | if err != nil { 16 | return err 17 | } 18 | 19 | // Get ECR credentials 20 | repoCreds := repo.RegistryId.ApplyT(func(rid string) ([]string, error) { 21 | creds, err := ecr.GetCredentials(ctx, &ecr.GetCredentialsArgs{ 22 | RegistryId: rid, 23 | }) 24 | if err != nil { 25 | return nil, err 26 | } 27 | data, err := base64.StdEncoding.DecodeString(creds.AuthorizationToken) 28 | if err != nil { 29 | fmt.Println("error:", err) 30 | return nil, err 31 | } 32 | return strings.Split(string(data), ":"), nil 33 | }).(pulumi.StringArrayOutput) 34 | repoUser := repoCreds.Index(pulumi.Int(0)) 35 | repoPass := repoCreds.Index(pulumi.Int(1)) 36 | 37 | // Build and push the image to the private ECR repository 38 | _, err = docker.NewImage(ctx, "vulnerable-log4shell", &docker.ImageArgs{ 39 | Build: &docker.DockerBuildArgs{ 40 | Context: pulumi.String("."), 41 | }, 42 | ImageName: pulumi.Sprintf("%s:%s", repo.RepositoryUrl, "vulnerable-log4shell"), 43 | Registry: docker.ImageRegistryArgs{ 44 | Server: repo.RepositoryUrl, 45 | Username: repoUser, 46 | Password: repoPass, 47 | }, 48 | }) 49 | if err != nil { 50 | return err 51 | } 52 | ctx.Export("repositoryUrl", repo.RepositoryUrl) 53 | return nil 54 | }) 55 | } -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-container-thunderbird-on-ecr/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | import ( 3 | "encoding/base64" 4 | "fmt" 5 | "strings" 6 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ecr" 7 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 9 | ) 10 | func main() { 11 | pulumi.Run(func(ctx *pulumi.Context) error { 12 | repo, err := ecr.NewRepository(ctx, "cnappgoat-repo", &ecr.RepositoryArgs{ 13 | ForceDelete: pulumi.Bool(true), 14 | }) 15 | if err != nil { 16 | return err 17 | } 18 | 19 | // Get ECR credentials 20 | repoCreds := repo.RegistryId.ApplyT(func(rid string) ([]string, error) { 21 | creds, err := ecr.GetCredentials(ctx, &ecr.GetCredentialsArgs{ 22 | RegistryId: rid, 23 | }) 24 | if err != nil { 25 | return nil, err 26 | } 27 | data, err := base64.StdEncoding.DecodeString(creds.AuthorizationToken) 28 | if err != nil { 29 | fmt.Println("error:", err) 30 | return nil, err 31 | } 32 | return strings.Split(string(data), ":"), nil 33 | }).(pulumi.StringArrayOutput) 34 | repoUser := repoCreds.Index(pulumi.Int(0)) 35 | repoPass := repoCreds.Index(pulumi.Int(1)) 36 | 37 | // Build and push the image to the private ECR repository 38 | _, err = docker.NewImage(ctx, "vulnerable-thunderbird", &docker.ImageArgs{ 39 | Build: &docker.DockerBuildArgs{ 40 | Context: pulumi.String("."), 41 | }, 42 | ImageName: pulumi.Sprintf("%s:%s", repo.RepositoryUrl, "vulnerable-thunderbird"), 43 | Registry: docker.ImageRegistryArgs{ 44 | Server: repo.RepositoryUrl, 45 | Username: repoUser, 46 | Password: repoPass, 47 | }, 48 | }) 49 | if err != nil { 50 | return err 51 | } 52 | ctx.Export("repositoryUrl", repo.RepositoryUrl) 53 | return nil 54 | }) 55 | } -------------------------------------------------------------------------------- /scenarios/cwpp/aws/end-of-life-container-on-ecr/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | import ( 3 | "encoding/base64" 4 | "fmt" 5 | "strings" 6 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ecr" 7 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 9 | ) 10 | func main() { 11 | pulumi.Run(func(ctx *pulumi.Context) error { 12 | repo, err := ecr.NewRepository(ctx, "cnappgoat-repo", &ecr.RepositoryArgs{ 13 | ForceDelete: pulumi.Bool(true), 14 | }) 15 | if err != nil { 16 | return err 17 | } 18 | 19 | // Get ECR credentials 20 | repoCreds := repo.RegistryId.ApplyT(func(rid string) ([]string, error) { 21 | creds, err := ecr.GetCredentials(ctx, &ecr.GetCredentialsArgs{ 22 | RegistryId: rid, 23 | }) 24 | if err != nil { 25 | return nil, err 26 | } 27 | data, err := base64.StdEncoding.DecodeString(creds.AuthorizationToken) 28 | if err != nil { 29 | fmt.Println("error:", err) 30 | return nil, err 31 | } 32 | return strings.Split(string(data), ":"), nil 33 | }).(pulumi.StringArrayOutput) 34 | repoUser := repoCreds.Index(pulumi.Int(0)) 35 | repoPass := repoCreds.Index(pulumi.Int(1)) 36 | 37 | // Build and push the image to the private ECR repository 38 | _, err = docker.NewImage(ctx, "end_of_life_ubuntu2110", &docker.ImageArgs{ 39 | Build: &docker.DockerBuildArgs{ 40 | Context: pulumi.String("."), 41 | }, 42 | ImageName: pulumi.Sprintf("%s:%s", repo.RepositoryUrl, "end_of_life_ubuntu2110"), 43 | Registry: docker.ImageRegistryArgs{ 44 | Server: repo.RepositoryUrl, 45 | Username: repoUser, 46 | Password: repoPass, 47 | }, 48 | }) 49 | if err != nil { 50 | return err 51 | } 52 | ctx.Export("repositoryUrl", repo.RepositoryUrl) 53 | fmt.Println("repositoryUrl", repo.RepositoryUrl) 54 | 55 | return nil 56 | }) 57 | } -------------------------------------------------------------------------------- /scenarios/dspm/azure/blob-container-account-storage-basic-pii-data/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: dspm-azure-blob-container-account-storage-basic-pii-data 2 | runtime: yaml 3 | description: The scenario provision an Azure Storage Account with Blob Container containing basic PII data. 4 | cnappgoat-params: 5 | description: | 6 | In this scenario, an Azure Storage Account with Blob Container, restricted to owner access only, is provisioned 7 | to store personally identifiable information (PII) data. The data is maintained in two blobs, one formatted in CSV 8 | and the other in JSON. The primary purpose of this scenario is to emulate an Azure Blob Container containing basic sensitive 9 | information, to test a data security product's ability to detect such data. This assessment is vital in evaluating the 10 | security product's effectiveness in identifying and safeguarding sensitive information housed within cloud-based storage 11 | services. 12 | friendlyName: Azure Blob Container with Basic PII Data 13 | id: dspm-azure-blob-container-account-storage-basic-pii-data 14 | config: 15 | azure-native:location: EastUS2 16 | module: dspm 17 | scenarioType: native 18 | platform: azure 19 | 20 | resources: 21 | cnappgoatResourceGroup: 22 | type: azure-native:resources:ResourceGroup 23 | cnappgoataccount: 24 | type: azure-native:storage:StorageAccount 25 | properties: 26 | resourceGroupName: ${cnappgoatResourceGroup.name} 27 | kind: StorageV2 28 | sku: 29 | name: Standard_LRS 30 | cnappgoatcontainer: 31 | type: azure-native:storage:BlobContainer 32 | properties: 33 | resourceGroupName: ${cnappgoatResourceGroup.name} 34 | accountName: ${cnappgoataccount.name} 35 | 36 | synced-folder: 37 | type: synced-folder:index:AzureBlobFolder 38 | properties: 39 | resourceGroupName: ${cnappgoatResourceGroup.name} 40 | storageAccountName: ${cnappgoataccount.name} 41 | containerName: ${cnappgoatcontainer.name} 42 | path: ./data 43 | 44 | outputs: 45 | cnappgoatresourcegroup: ${cnappgoatResourceGroup.name} 46 | cnappgoatstorageaccount: ${cnappgoataccount.name} 47 | cnappgoatcontainer: ${cnappgoatcontainer.name} 48 | -------------------------------------------------------------------------------- /scenarios/cspm/aws/ec2-ami-public-volume/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ebs" 5 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ec2" 6 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 7 | ) 8 | 9 | func main() { 10 | pulumi.Run(func(ctx *pulumi.Context) error { 11 | 12 | // Create a new EBS volume 13 | volume, err := ebs.NewVolume(ctx, "CNAPPgoat-ebs-volume", &ebs.VolumeArgs{ 14 | AvailabilityZone: pulumi.String("eu-central-1a"), 15 | Size: pulumi.Int(8), 16 | Tags: pulumi.StringMap{ 17 | "Name": pulumi.String("CNAPPgoat-ebs-volume"), 18 | "Cnappgoat": pulumi.String("true"), 19 | }, 20 | }) 21 | if err != nil { 22 | return err 23 | } 24 | 25 | // Create a snapshot of the EBS volume 26 | snapshot, err := ebs.NewSnapshot(ctx, "CNAPPgoat-ebs-snapshot", &ebs.SnapshotArgs{ 27 | VolumeId: volume.ID(), 28 | Tags: pulumi.StringMap{ 29 | "Name": pulumi.String("CNAPPgoat-ebs-snapshot"), 30 | "Cnappgoat": pulumi.String("true"), 31 | }, 32 | }) 33 | if err != nil { 34 | return err 35 | } 36 | 37 | // Register the snapshot as a public AMI 38 | ami, erra := ec2.NewAmi(ctx, "CNAPPgoat-public-ami", &ec2.AmiArgs{ 39 | Name: pulumi.String("CNAPPgoat-public-ami"), 40 | Description: pulumi.String("My AMI"), 41 | VirtualizationType: pulumi.String("hvm"), 42 | RootDeviceName: pulumi.String("/dev/sda1"), 43 | EbsBlockDevices: ec2.AmiEbsBlockDeviceArray{ 44 | ec2.AmiEbsBlockDeviceArgs{ 45 | DeviceName: pulumi.String("/dev/sda1"), 46 | SnapshotId: snapshot.ID(), 47 | DeleteOnTermination: pulumi.Bool(true), 48 | VolumeSize: pulumi.Int(8), 49 | }, 50 | }, 51 | }) 52 | if erra != nil { 53 | return erra 54 | } 55 | _, errn := ec2.NewAmiLaunchPermission(ctx, "CNAPPgoat-ami-launchpermission", &ec2.AmiLaunchPermissionArgs{ 56 | Group: pulumi.String("all"), 57 | ImageId: ami.ID(), 58 | }) 59 | if errn != nil { 60 | return errn 61 | } 62 | ctx.Export("CNAPPgoat-ebs-volume", volume.Arn) 63 | ctx.Export("CNAPPgoat-ebs-snapshot", snapshot.Arn) 64 | ctx.Export("CNAPPgoat-public-ami", ami.Arn) 65 | return nil 66 | }) 67 | } 68 | -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-public-storage-phi-data/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: dspm-aws-s3-public-storage-phi-data 2 | runtime: yaml 3 | description: The scenario provision public access level S3 bucket containing PHI data. 4 | cnappgoat-params: 5 | description: In this scenario, a publicly accessible Amazon Simple Storage Service (S3) bucket 6 | is provisioned to contain protected health information (PHI) data. 7 | The data is stored in two separate files. The primary objective of this scenario is to simulate an AWS S3 bucket containing basic 8 | sensitive information, with the aim of testing whether a data security product is capable 9 | of detecting this type of data. This exercise is crucial in evaluating the effectiveness of 10 | the security product in identifying and protecting sensitive information stored in 11 | cloud-based storage services. 12 | friendlyName: Public access levels S3 Bucket with PHI Data 13 | id: dspm-aws-s3-public-storage-phi-data 14 | module: dspm 15 | scenarioType: native 16 | platform: aws 17 | 18 | resources: 19 | CnappgoatBucket: 20 | type: aws:s3:BucketV2 21 | properties: 22 | tags: 23 | Cnappgoat: true 24 | CnappgoatBucketOwnershipControls: 25 | type: aws:s3:BucketOwnershipControls 26 | properties: 27 | bucket: ${CnappgoatBucket.id} 28 | rule: 29 | objectOwnership: BucketOwnerPreferred 30 | CnappgoatBucketPublicAccessBlock: 31 | type: aws:s3:BucketPublicAccessBlock 32 | properties: 33 | bucket: ${CnappgoatBucket.id} 34 | blockPublicAcls: false 35 | blockPublicPolicy: false 36 | ignorePublicAcls: false 37 | restrictPublicBuckets: false 38 | CnappgoatBucketAclV2: 39 | type: aws:s3:BucketAclV2 40 | properties: 41 | bucket: ${CnappgoatBucket.id} 42 | acl: public-read 43 | options: 44 | dependsOn: 45 | - ${CnappgoatBucketOwnershipControls} 46 | - ${CnappgoatBucketPublicAccessBlock} 47 | synced-folder: 48 | type: synced-folder:index:S3BucketFolder 49 | properties: 50 | path: ./data 51 | bucketName: ${CnappgoatBucket.bucket} 52 | acl: public-read 53 | outputs: 54 | bucketArn: ${CnappgoatBucket.arn} 55 | bucketId: ${CnappgoatBucket.id} 56 | DomainName: ${CnappgoatBucket.bucketRegionalDomainName} 57 | -------------------------------------------------------------------------------- /scenarios/cspm/azure/storage-account-public-network/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: cspm-azure-storage-account-public-network 2 | runtime: yaml 3 | description: This scenario involves deploying an Azure storage account with public network access. 4 | to restrict public access, switch the Public network access setting from Enabled from all networks to 5 | enabled from selected virtual networks and IP addresses 6 | cnappgoat-params: 7 | description: This scenario involves deploying an Azure storage account with public network access. By default, when you create a new storage account, the network is open to the internet. 8 | The storage account still restricts access to blob containers, file shares, tables and queues by requiring Azure Active Directory authentication and access policy permissions. 9 | For greater security, firewall rules should restrict access to specific IP addresses and virtual networks. 10 | 11 | friendlyName: Storage Account with Public Network Access 12 | id: cspm-azure-storage-account-public-network 13 | module: cspm 14 | scenarioType: native 15 | platform: azure 16 | config: 17 | azure-native:location: EastUS2 18 | 19 | resources: 20 | cnappgoatresourcegroup: 21 | type: azure-native:resources:ResourceGroup 22 | properties: 23 | location: ${azure-native:location} 24 | cnappgoataccount: 25 | type: azure-native:storage:StorageAccount 26 | properties: 27 | resourceGroupName: ${cnappgoatresourcegroup.name} 28 | publicNetworkAccess: Enabled 29 | allowBlobPublicAccess: false 30 | allowSharedKeyAccess: true 31 | encryption: 32 | keySource: Microsoft.Storage 33 | requireInfrastructureEncryption: false 34 | services: 35 | blob: 36 | enabled: true 37 | keyType: Account 38 | file: 39 | enabled: true 40 | keyType: Account 41 | keyPolicy: 42 | keyExpirationPeriodInDays: 20 43 | kind: Storage 44 | minimumTlsVersion: TLS1_2 45 | sasPolicy: 46 | expirationAction: Log 47 | sasExpirationPeriod: 1.15:59:59 48 | sku: 49 | name: Standard_GRS 50 | tags: 51 | Cnappgoat: true 52 | 53 | outputs: 54 | cnappgoatresourcegroup: ${cnappgoatresourcegroup.name} 55 | cnappgoatstorageaccount: ${cnappgoataccount.name} 56 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/codebuild-administrator-servicerole/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/codebuild" 5 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam" 6 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 7 | ) 8 | 9 | func main() { 10 | pulumi.Run(func(ctx *pulumi.Context) error { 11 | 12 | // Create IAM Role for CodeBuild 13 | role, err := iam.NewRole(ctx, "CnappgoatCodeBuildRole", &iam.RoleArgs{ 14 | AssumeRolePolicy: pulumi.String(`{ 15 | "Version": "2012-10-17", 16 | "Statement": [ 17 | { 18 | "Action": "sts:AssumeRole", 19 | "Principal": { 20 | "Service": "codebuild.amazonaws.com" 21 | }, 22 | "Effect": "Allow", 23 | "Sid": "" 24 | } 25 | ] 26 | }`), 27 | Tags: pulumi.StringMap{ 28 | "Cnappgoat": pulumi.String("true"), 29 | }, 30 | }) 31 | if err != nil { 32 | return err 33 | } 34 | // Attach the AWSCodeBuildAdminAccess managed policy to the role 35 | _, err = iam.NewRolePolicyAttachment(ctx, "policyAttachment", &iam.RolePolicyAttachmentArgs{ 36 | Role: role.Name, 37 | PolicyArn: pulumi.String("arn:aws:iam::aws:policy/AdministratorAccess"), 38 | }) 39 | if err != nil { 40 | return err 41 | } 42 | 43 | // Create AWS CodeBuild project 44 | codebuildProject, err := codebuild.NewProject(ctx, "CNAPPgoatCodeBuildproject", &codebuild.ProjectArgs{ 45 | Artifacts: codebuild.ProjectArtifactsArgs{ 46 | Type: pulumi.String("NO_ARTIFACTS"), 47 | }, 48 | Environment: codebuild.ProjectEnvironmentArgs{ 49 | PrivilegedMode: pulumi.BoolPtr(true), 50 | ComputeType: pulumi.String("BUILD_GENERAL1_SMALL"), 51 | Image: pulumi.String("aws/codebuild/amazonlinux2-x86_64-standard:3.0"), 52 | Type: pulumi.String("LINUX_CONTAINER"), 53 | }, 54 | Source: codebuild.ProjectSourceArgs{ 55 | Type: pulumi.String("NO_SOURCE"), 56 | Buildspec: pulumi.String(`version: 0.2 57 | phases: 58 | build: 59 | commands: 60 | - echo test`), 61 | }, 62 | ServiceRole: role.Arn, 63 | BuildTimeout: pulumi.Int(5), 64 | Tags: pulumi.StringMap{ 65 | "Cnappgoat": pulumi.String("true"), 66 | }, 67 | }) 68 | if err != nil { 69 | return err 70 | } 71 | ctx.Export("roleArn", role.Arn) 72 | ctx.Export("codebuildProject", codebuildProject.Arn) 73 | return nil 74 | }) 75 | } 76 | -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-public-storage-basic-pii-data/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: dspm-aws-s3-public-storage-basic-pii-data 2 | runtime: yaml 3 | description: The scenario provision public access level S3 bucket containing PII data. 4 | cnappgoat-params: 5 | description: In this scenario, a publicly accessible Amazon Simple Storage Service (S3) bucket 6 | is provisioned to contain personally identifiable information (PII) data. 7 | The data is stored in two separate files, one in CSV format and the other in JSON format. 8 | The primary objective of this scenario is to simulate an AWS S3 bucket containing basic 9 | sensitive information, with the aim of testing whether a data security product is capable 10 | of detecting this type of data. This exercise is crucial in evaluating the effectiveness of 11 | the security product in identifying and protecting sensitive information stored in 12 | cloud-based storage services. 13 | friendlyName: Public access level S3 Bucket with Basic PII Data 14 | id: dspm-aws-s3-public-storage-basic-pii-data 15 | module: dspm 16 | scenarioType: native 17 | platform: aws 18 | 19 | resources: 20 | CnappgoatBucket: 21 | type: aws:s3:BucketV2 22 | properties: 23 | tags: 24 | Cnappgoat: true 25 | CnappgoatBucketOwnershipControls: 26 | type: aws:s3:BucketOwnershipControls 27 | properties: 28 | bucket: ${CnappgoatBucket.id} 29 | rule: 30 | objectOwnership: BucketOwnerPreferred 31 | CnappgoatBucketPublicAccessBlock: 32 | type: aws:s3:BucketPublicAccessBlock 33 | properties: 34 | bucket: ${CnappgoatBucket.id} 35 | blockPublicAcls: false 36 | blockPublicPolicy: false 37 | ignorePublicAcls: false 38 | restrictPublicBuckets: false 39 | CnappgoatBucketAclV2: 40 | type: aws:s3:BucketAclV2 41 | properties: 42 | bucket: ${CnappgoatBucket.id} 43 | acl: public-read 44 | options: 45 | dependsOn: 46 | - ${CnappgoatBucketOwnershipControls} 47 | - ${CnappgoatBucketPublicAccessBlock} 48 | synced-folder: 49 | type: synced-folder:index:S3BucketFolder 50 | properties: 51 | path: ./data 52 | bucketName: ${CnappgoatBucket.bucket} 53 | acl: public-read 54 | outputs: 55 | bucketArn: ${CnappgoatBucket.arn} 56 | bucketId: ${CnappgoatBucket.id} 57 | DomainName: ${CnappgoatBucket.bucketRegionalDomainName} 58 | -------------------------------------------------------------------------------- /scenarios/cspm/aws/s3-public-bucket-secrets/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | 6 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/s3" 7 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 8 | ) 9 | 10 | func main() { 11 | pulumi.Run(func(ctx *pulumi.Context) error { 12 | 13 | // Create a new S3 bucket 14 | bucket, err := s3.NewBucketV2( 15 | ctx, 16 | "CNAPPgoat-public-bucket", 17 | &s3.BucketV2Args{ 18 | Tags: pulumi.StringMap{ 19 | "Cnappgoat": pulumi.String("true"), 20 | }, 21 | }) 22 | 23 | if err != nil { 24 | return err 25 | } 26 | publicAccessBlock, err := s3.NewBucketPublicAccessBlock(ctx, "CNAPPgoat-public-bucket-access-block", &s3.BucketPublicAccessBlockArgs{ 27 | Bucket: bucket.ID(), 28 | BlockPublicAcls: pulumi.Bool(false), 29 | BlockPublicPolicy: pulumi.Bool(false), 30 | IgnorePublicAcls: pulumi.Bool(false), 31 | RestrictPublicBuckets: pulumi.Bool(false), 32 | }) 33 | if err != nil { 34 | return err 35 | } 36 | 37 | _, err = s3.NewBucketPolicy(ctx, "CNAPPgoat-public-bucket-policy", &s3.BucketPolicyArgs{ 38 | Bucket: bucket.ID(), 39 | Policy: bucket.ID().ApplyT(func(id pulumi.String) (pulumi.String, error) { 40 | return pulumi.String(fmt.Sprintf(`{ 41 | "Version": "2012-10-17", 42 | "Statement": [ 43 | { 44 | "Effect": "Allow", 45 | "Principal": "*", 46 | "Action": "s3:GetObject", 47 | "Resource": "arn:aws:s3:::%s/*" 48 | } 49 | ] 50 | }`, id)), nil 51 | }).(pulumi.StringOutput), 52 | // depends on the public bucket access block 53 | }, pulumi.DependsOn([]pulumi.Resource{publicAccessBlock})) 54 | if err != nil { 55 | return err 56 | } 57 | 58 | // Upload a secret file to the bucket 59 | bucketObject, err := s3.NewBucketObject(ctx, "CNAPPgoat-public-bucket-secret-object", &s3.BucketObjectArgs{ 60 | Bucket: bucket.ID(), 61 | Key: pulumi.String("CNAPPgoatSecret"), 62 | Source: pulumi.NewFileAsset("secret.txt"), 63 | ContentType: pulumi.String("text/plain"), 64 | }) 65 | if err != nil { 66 | return err 67 | } 68 | ctx.Export("CNAPPgoat-public-bucket", bucket.Arn) 69 | ctx.Export("object-key", bucketObject.Key) 70 | return nil 71 | }) 72 | } 73 | -------------------------------------------------------------------------------- /scenarios/ciem/aws/iam-overprivileged-role/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam" 6 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/lambda" 7 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/s3" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 9 | ) 10 | 11 | func main() { 12 | pulumi.Run(func(ctx *pulumi.Context) error { 13 | 14 | // Create an IAM Role 15 | assumeRolePolicyJSON := fmt.Sprintf(`{ 16 | "Version": "2012-10-17", 17 | "Statement": [ 18 | { 19 | "Effect": "Allow", 20 | "Principal": { 21 | "Service": "lambda.amazonaws.com" 22 | }, 23 | "Action": "sts:AssumeRole" 24 | } 25 | ] 26 | }`) 27 | role, err := iam.NewRole(ctx, "CNAPPGoatOverprivilegedRole", &iam.RoleArgs{ 28 | AssumeRolePolicy: pulumi.String(assumeRolePolicyJSON), 29 | ManagedPolicyArns: pulumi.StringArray{ 30 | pulumi.String("arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"), 31 | pulumi.String("arn:aws:iam::aws:policy/AmazonS3FullAccess"), 32 | }, 33 | Tags: pulumi.StringMap{ 34 | "Cnappgoat": pulumi.String("true"), 35 | }, 36 | }) 37 | if err != nil { 38 | return err 39 | } 40 | 41 | // Create an S3 bucket 42 | bucket, err := s3.NewBucket(ctx, "CNAPPGoatOverprivilegedBucket", &s3.BucketArgs{ 43 | Tags: pulumi.StringMap{ 44 | "Cnappgoat": pulumi.String("true"), 45 | }, 46 | }) 47 | if err != nil { 48 | return err 49 | } 50 | 51 | // Create a lambda function that assumes the role and lists the bucket 52 | setupLambda, err := lambda.NewFunction(ctx, "CNAPPGoatOverprivilegedRoleFunction", &lambda.FunctionArgs{ 53 | Role: role.Arn, 54 | Handler: pulumi.String("index.handler"), 55 | Runtime: pulumi.String("nodejs14.x"), 56 | Code: pulumi.NewFileArchive("./lambda"), 57 | Tags: pulumi.StringMap{ 58 | "Cnappgoat": pulumi.String("true"), 59 | }, 60 | }) 61 | if err != nil { 62 | return err 63 | } 64 | 65 | _, err = lambda.NewInvocation(ctx, "setupInvocation", &lambda.InvocationArgs{ 66 | FunctionName: setupLambda.Name, 67 | Input: pulumi.Sprintf(`{"BucketName":"%s"}`, bucket.ID()), 68 | }) 69 | if err != nil { 70 | return err 71 | } 72 | 73 | // Export the ARN of the role and the name of the bucket 74 | ctx.Export("roleArn", role.Arn) 75 | ctx.Export("bucketName", bucket.ID()) 76 | ctx.Export("lambdaArn", setupLambda.Arn) 77 | return nil 78 | }) 79 | } 80 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/end-of-life-container-on-artifact-registry/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 5 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/artifactregistry" 6 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/config" 7 | "github.com/pulumi/pulumi-random/sdk/v4/go/random" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 9 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations" 10 | 11 | ) 12 | 13 | func main() { 14 | pulumi.Run(func(ctx *pulumi.Context) error { 15 | 16 | project := config.GetProject(ctx) 17 | region := config.GetRegion(ctx) 18 | 19 | // Generate a unique Artifact Registry repository ID 20 | uniqueString, err := random.NewRandomString(ctx, "unique-string", &random.RandomStringArgs{ 21 | Length: pulumi.Int(4), 22 | Lower: pulumi.Bool(true), 23 | Upper: pulumi.Bool(false), 24 | Numeric: pulumi.Bool(true), 25 | Special: pulumi.Bool(false), 26 | }) 27 | if err != nil { 28 | return err 29 | } 30 | repoId := pulumi.Sprintf("cnappgoat-%s", uniqueString.Result) 31 | 32 | // Create an Artifact Registry repository 33 | repo, err := artifactregistry.NewRepository(ctx, "repository", &artifactregistry.RepositoryArgs{ 34 | Description: pulumi.String("Repository for container image"), 35 | Format: pulumi.String("DOCKER"), 36 | Location: pulumi.String(region), 37 | RepositoryId: repoId, 38 | }) 39 | if err != nil { 40 | return err 41 | } 42 | 43 | // Get client credentials 44 | clientConfig, err := organizations.GetClientConfig(ctx) 45 | if err != nil { 46 | return err 47 | } 48 | 49 | // Form the repository URL 50 | repoUrl := pulumi.Sprintf("%s-docker.pkg.dev/%s/%s", repo.Location, project, repo.RepositoryId) 51 | 52 | // Build and push the image to the private Artifact Registry repository 53 | _, err = docker.NewImage(ctx, "end-of-life-container", &docker.ImageArgs{ 54 | Build: &docker.DockerBuildArgs{ 55 | Context: pulumi.String("."), 56 | }, 57 | ImageName: pulumi.Sprintf("%s/%s:%s", repoUrl, "end-of-life-container", "latest"), 58 | Registry: docker.ImageRegistryArgs{ 59 | Server: repoUrl, 60 | Username: pulumi.String("oauth2accesstoken"), 61 | Password: pulumi.String(clientConfig.AccessToken), 62 | }, 63 | }) 64 | 65 | if err != nil { 66 | return err 67 | } 68 | 69 | ctx.Export("repositoryUrl", repoUrl) 70 | return nil 71 | }) 72 | } 73 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/malicious-container-xmrig-on-artifact-registry/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 5 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/artifactregistry" 6 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/config" 7 | "github.com/pulumi/pulumi-random/sdk/v4/go/random" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 9 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations" 10 | 11 | ) 12 | 13 | func main() { 14 | pulumi.Run(func(ctx *pulumi.Context) error { 15 | project := config.GetProject(ctx) 16 | region := config.GetRegion(ctx) 17 | 18 | // Generate a unique Artifact Registry repository ID 19 | uniqueString, err := random.NewRandomString(ctx, "unique-string", &random.RandomStringArgs{ 20 | Length: pulumi.Int(4), 21 | Lower: pulumi.Bool(true), 22 | Upper: pulumi.Bool(false), 23 | Numeric: pulumi.Bool(true), 24 | Special: pulumi.Bool(false), 25 | }) 26 | if err != nil { 27 | return err 28 | } 29 | repoId := pulumi.Sprintf("cnappgoat-%s", uniqueString.Result) 30 | 31 | // Create an Artifact Registry repository 32 | repo, err := artifactregistry.NewRepository(ctx, "repository", &artifactregistry.RepositoryArgs{ 33 | Description: pulumi.String("Repository for container image"), 34 | Format: pulumi.String("DOCKER"), 35 | Location: pulumi.String(region), 36 | RepositoryId: repoId, 37 | }) 38 | if err != nil { 39 | return err 40 | } 41 | 42 | // Get client credentials 43 | clientConfig, err := organizations.GetClientConfig(ctx) 44 | if err != nil { 45 | return err 46 | } 47 | 48 | // Form the repository URL 49 | repoUrl := pulumi.Sprintf("%s-docker.pkg.dev/%s/%s", repo.Location, project, repo.RepositoryId) 50 | 51 | // Build and push the image to the private Artifact Registry repository 52 | _, err = docker.NewImage(ctx, "malicious-container-xmrig", &docker.ImageArgs{ 53 | Build: &docker.DockerBuildArgs{ 54 | Context: pulumi.String("."), 55 | }, 56 | ImageName: pulumi.Sprintf("%s/%s:%s", repoUrl, "malicious-container-xmrig", "latest"), 57 | Registry: docker.ImageRegistryArgs{ 58 | Server: repoUrl, 59 | Username: pulumi.String("oauth2accesstoken"), 60 | Password: pulumi.String(clientConfig.AccessToken), 61 | }, 62 | }) 63 | 64 | if err != nil { 65 | return err 66 | } 67 | 68 | ctx.Export("repositoryUrl", repoUrl) 69 | return nil 70 | }) 71 | } 72 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/malicious-ec2-xmrig/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws" 5 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ec2" 6 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 7 | ) 8 | 9 | func main() { 10 | pulumi.Run(func(ctx *pulumi.Context) error { 11 | awsProvider, err := aws.NewProvider(ctx, "awsProvider", &aws.ProviderArgs{}) 12 | 13 | if err != nil { 14 | return err 15 | } 16 | 17 | // Create a new security group that allows SSH and HTTP access 18 | group, err := ec2.NewSecurityGroup(ctx, "web-secgrp", &ec2.SecurityGroupArgs{ 19 | Description: pulumi.String("Enable SSH and HTTP access"), 20 | Ingress: ec2.SecurityGroupIngressArray{ 21 | ec2.SecurityGroupIngressArgs{ 22 | Protocol: pulumi.String("tcp"), 23 | FromPort: pulumi.Int(22), 24 | ToPort: pulumi.Int(22), 25 | CidrBlocks: pulumi.StringArray{pulumi.String("0.0.0.0/0")}, 26 | }, 27 | }, 28 | Egress: ec2.SecurityGroupEgressArray{ 29 | ec2.SecurityGroupEgressArgs{ 30 | Protocol: pulumi.String("-1"), 31 | FromPort: pulumi.Int(0), 32 | ToPort: pulumi.Int(0), 33 | CidrBlocks: pulumi.StringArray{pulumi.String("0.0.0.0/0")}, 34 | }, 35 | }, 36 | }, pulumi.Provider(awsProvider)) 37 | if err != nil { 38 | return err 39 | } 40 | 41 | // Create a new EC2 instance 42 | userData := `#!/bin/bash 43 | wget https://github.com/xmrig/xmrig/releases/download/v6.19.2/xmrig-6.19.2-linux-static-x64.tar.gz 44 | tar xf xmrig-6.19.2-linux-static-x64.tar.gz 45 | ` 46 | 47 | // Get the latest AMI 48 | mostRecent := true 49 | amiResult, err := aws.GetAmi(ctx, &aws.GetAmiArgs{ 50 | Owners: []string{"amazon"}, 51 | MostRecent: &mostRecent, 52 | Filters: []aws.GetAmiFilter{{Name: "name", Values: []string{"amzn2-ami-hvm-2.0.*-x86_64-ebs"}}}, 53 | }) 54 | if err != nil { 55 | return err 56 | } 57 | 58 | _, err = ec2.NewInstance(ctx, "CnappgoatCWPPMaliciousEC2", &ec2.InstanceArgs{ 59 | Ami: pulumi.String(amiResult.Id), 60 | InstanceType: pulumi.String("t3.micro"), 61 | VpcSecurityGroupIds: pulumi.StringArray{group.ID()}, 62 | UserData: pulumi.String(userData), 63 | AssociatePublicIpAddress: pulumi.Bool(true), 64 | Tags: pulumi.StringMap{"Name": pulumi.String("CnappgoatCWPPMaliciousEC2")}, 65 | }, pulumi.Provider(awsProvider)) 66 | if err != nil { 67 | return err 68 | } 69 | 70 | return nil 71 | }) 72 | } 73 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-redis-on-artifact-registry/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 5 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/artifactregistry" 6 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/config" 7 | "github.com/pulumi/pulumi-random/sdk/v4/go/random" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 9 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations" 10 | 11 | ) 12 | 13 | func main() { 14 | pulumi.Run(func(ctx *pulumi.Context) error { 15 | // Get the GCP project and region from the default configuration 16 | project := config.GetProject(ctx) 17 | region := config.GetRegion(ctx) 18 | 19 | // Generate a unique Artifact Registry repository ID 20 | uniqueString, err := random.NewRandomString(ctx, "unique-string", &random.RandomStringArgs{ 21 | Length: pulumi.Int(4), 22 | Lower: pulumi.Bool(true), 23 | Upper: pulumi.Bool(false), 24 | Numeric: pulumi.Bool(true), 25 | Special: pulumi.Bool(false), 26 | }) 27 | if err != nil { 28 | return err 29 | } 30 | repoId := pulumi.Sprintf("cnappgoat-%s", uniqueString.Result) 31 | 32 | // Create an Artifact Registry repository 33 | repo, err := artifactregistry.NewRepository(ctx, "repository", &artifactregistry.RepositoryArgs{ 34 | Description: pulumi.String("Repository for container image"), 35 | Format: pulumi.String("DOCKER"), 36 | Location: pulumi.String(region), 37 | RepositoryId: repoId, 38 | }) 39 | if err != nil { 40 | return err 41 | } 42 | 43 | // Get client credentials 44 | clientConfig, err := organizations.GetClientConfig(ctx) 45 | if err != nil { 46 | return err 47 | } 48 | 49 | // Form the repository URL 50 | repoUrl := pulumi.Sprintf("%s-docker.pkg.dev/%s/%s", repo.Location, project, repo.RepositoryId) 51 | 52 | // Build and push the image to the private Artifact Registry repository 53 | _, err = docker.NewImage(ctx, "vulnerable-redis", &docker.ImageArgs{ 54 | Build: &docker.DockerBuildArgs{ 55 | Context: pulumi.String("."), 56 | }, 57 | ImageName: pulumi.Sprintf("%s/%s:%s", repoUrl, "vulnerable-redis", "latest"), 58 | Registry: docker.ImageRegistryArgs{ 59 | Server: repoUrl, 60 | Username: pulumi.String("oauth2accesstoken"), 61 | Password: pulumi.String(clientConfig.AccessToken), 62 | }, 63 | }) 64 | 65 | if err != nil { 66 | return err 67 | } 68 | 69 | ctx.Export("repositoryUrl", repoUrl) 70 | return nil 71 | }) 72 | } 73 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-tomcat-on-artifact-registry/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 5 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/artifactregistry" 6 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/config" 7 | "github.com/pulumi/pulumi-random/sdk/v4/go/random" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 9 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations" 10 | 11 | ) 12 | 13 | func main() { 14 | pulumi.Run(func(ctx *pulumi.Context) error { 15 | // Get the GCP project and region from the default configuration 16 | project := config.GetProject(ctx) 17 | region := config.GetRegion(ctx) 18 | 19 | // Generate a unique Artifact Registry repository ID 20 | uniqueString, err := random.NewRandomString(ctx, "unique-string", &random.RandomStringArgs{ 21 | Length: pulumi.Int(4), 22 | Lower: pulumi.Bool(true), 23 | Upper: pulumi.Bool(false), 24 | Numeric: pulumi.Bool(true), 25 | Special: pulumi.Bool(false), 26 | }) 27 | if err != nil { 28 | return err 29 | } 30 | repoId := pulumi.Sprintf("cnappgoat-%s", uniqueString.Result) 31 | 32 | // Create an Artifact Registry repository 33 | repo, err := artifactregistry.NewRepository(ctx, "repository", &artifactregistry.RepositoryArgs{ 34 | Description: pulumi.String("Repository for container image"), 35 | Format: pulumi.String("DOCKER"), 36 | Location: pulumi.String(region), 37 | RepositoryId: repoId, 38 | }) 39 | if err != nil { 40 | return err 41 | } 42 | 43 | // Get client credentials 44 | clientConfig, err := organizations.GetClientConfig(ctx) 45 | if err != nil { 46 | return err 47 | } 48 | 49 | // Form the repository URL 50 | repoUrl := pulumi.Sprintf("%s-docker.pkg.dev/%s/%s", repo.Location, project, repo.RepositoryId) 51 | 52 | // Build and push the image to the private Artifact Registry repository 53 | _, err = docker.NewImage(ctx, "vulnerable-tomcat", &docker.ImageArgs{ 54 | Build: &docker.DockerBuildArgs{ 55 | Context: pulumi.String("."), 56 | }, 57 | ImageName: pulumi.Sprintf("%s/%s:%s", repoUrl, "vulnerable-tomcat", "latest"), 58 | Registry: docker.ImageRegistryArgs{ 59 | Server: repoUrl, 60 | Username: pulumi.String("oauth2accesstoken"), 61 | Password: pulumi.String(clientConfig.AccessToken), 62 | }, 63 | }) 64 | 65 | if err != nil { 66 | return err 67 | } 68 | 69 | ctx.Export("repositoryUrl", repoUrl) 70 | return nil 71 | }) 72 | } 73 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-jenkins-on-artifact-registry/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 5 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/artifactregistry" 6 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/config" 7 | "github.com/pulumi/pulumi-random/sdk/v4/go/random" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 9 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations" 10 | 11 | ) 12 | 13 | func main() { 14 | pulumi.Run(func(ctx *pulumi.Context) error { 15 | // Get the GCP project and region from the default configuration 16 | project := config.GetProject(ctx) 17 | region := config.GetRegion(ctx) 18 | 19 | // Generate a unique Artifact Registry repository ID 20 | uniqueString, err := random.NewRandomString(ctx, "unique-string", &random.RandomStringArgs{ 21 | Length: pulumi.Int(4), 22 | Lower: pulumi.Bool(true), 23 | Upper: pulumi.Bool(false), 24 | Numeric: pulumi.Bool(true), 25 | Special: pulumi.Bool(false), 26 | }) 27 | if err != nil { 28 | return err 29 | } 30 | repoId := pulumi.Sprintf("cnappgoat-%s", uniqueString.Result) 31 | 32 | // Create an Artifact Registry repository 33 | repo, err := artifactregistry.NewRepository(ctx, "repository", &artifactregistry.RepositoryArgs{ 34 | Description: pulumi.String("Repository for container image"), 35 | Format: pulumi.String("DOCKER"), 36 | Location: pulumi.String(region), 37 | RepositoryId: repoId, 38 | }) 39 | if err != nil { 40 | return err 41 | } 42 | 43 | // Get client credentials 44 | clientConfig, err := organizations.GetClientConfig(ctx) 45 | if err != nil { 46 | return err 47 | } 48 | 49 | // Form the repository URL 50 | repoUrl := pulumi.Sprintf("%s-docker.pkg.dev/%s/%s", repo.Location, project, repo.RepositoryId) 51 | 52 | // Build and push the image to the private Artifact Registry repository 53 | _, err = docker.NewImage(ctx, "vulnerable-jenkins", &docker.ImageArgs{ 54 | Build: &docker.DockerBuildArgs{ 55 | Context: pulumi.String("."), 56 | }, 57 | ImageName: pulumi.Sprintf("%s/%s:%s", repoUrl, "vulnerable-jenkins", "latest"), 58 | Registry: docker.ImageRegistryArgs{ 59 | Server: repoUrl, 60 | Username: pulumi.String("oauth2accesstoken"), 61 | Password: pulumi.String(clientConfig.AccessToken), 62 | }, 63 | }) 64 | 65 | if err != nil { 66 | return err 67 | } 68 | 69 | ctx.Export("repositoryUrl", repoUrl) 70 | return nil 71 | }) 72 | } 73 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-log4shell-on-artifact-registry/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 5 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/artifactregistry" 6 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/config" 7 | "github.com/pulumi/pulumi-random/sdk/v4/go/random" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 9 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations" 10 | 11 | ) 12 | 13 | func main() { 14 | pulumi.Run(func(ctx *pulumi.Context) error { 15 | // Get the GCP project and region from the default configuration 16 | project := config.GetProject(ctx) 17 | region := config.GetRegion(ctx) 18 | 19 | // Generate a unique Artifact Registry repository ID 20 | uniqueString, err := random.NewRandomString(ctx, "unique-string", &random.RandomStringArgs{ 21 | Length: pulumi.Int(4), 22 | Lower: pulumi.Bool(true), 23 | Upper: pulumi.Bool(false), 24 | Numeric: pulumi.Bool(true), 25 | Special: pulumi.Bool(false), 26 | }) 27 | if err != nil { 28 | return err 29 | } 30 | repoId := pulumi.Sprintf("cnappgoat-%s", uniqueString.Result) 31 | 32 | // Create an Artifact Registry repository 33 | repo, err := artifactregistry.NewRepository(ctx, "repository", &artifactregistry.RepositoryArgs{ 34 | Description: pulumi.String("Repository for container image"), 35 | Format: pulumi.String("DOCKER"), 36 | Location: pulumi.String(region), 37 | RepositoryId: repoId, 38 | }) 39 | if err != nil { 40 | return err 41 | } 42 | 43 | // Get client credentials 44 | clientConfig, err := organizations.GetClientConfig(ctx) 45 | if err != nil { 46 | return err 47 | } 48 | 49 | // Form the repository URL 50 | repoUrl := pulumi.Sprintf("%s-docker.pkg.dev/%s/%s", repo.Location, project, repo.RepositoryId) 51 | 52 | // Build and push the image to the private Artifact Registry repository 53 | _, err = docker.NewImage(ctx, "vulnerable-log4shell", &docker.ImageArgs{ 54 | Build: &docker.DockerBuildArgs{ 55 | Context: pulumi.String("."), 56 | }, 57 | ImageName: pulumi.Sprintf("%s/%s:%s", repoUrl, "vulnerable-log4shell", "latest"), 58 | Registry: docker.ImageRegistryArgs{ 59 | Server: repoUrl, 60 | Username: pulumi.String("oauth2accesstoken"), 61 | Password: pulumi.String(clientConfig.AccessToken), 62 | }, 63 | }) 64 | 65 | if err != nil { 66 | return err 67 | } 68 | 69 | ctx.Export("repositoryUrl", repoUrl) 70 | return nil 71 | }) 72 | } 73 | -------------------------------------------------------------------------------- /scenarios/cwpp/gcp/vulnerable-container-thunderbird-on-artifact-registry/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 5 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/artifactregistry" 6 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/config" 7 | "github.com/pulumi/pulumi-random/sdk/v4/go/random" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 9 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations" 10 | 11 | ) 12 | 13 | func main() { 14 | pulumi.Run(func(ctx *pulumi.Context) error { 15 | // Get the GCP project and region from the default configuration 16 | project := config.GetProject(ctx) 17 | region := config.GetRegion(ctx) 18 | 19 | // Generate a unique Artifact Registry repository ID 20 | uniqueString, err := random.NewRandomString(ctx, "unique-string", &random.RandomStringArgs{ 21 | Length: pulumi.Int(4), 22 | Lower: pulumi.Bool(true), 23 | Upper: pulumi.Bool(false), 24 | Numeric: pulumi.Bool(true), 25 | Special: pulumi.Bool(false), 26 | }) 27 | if err != nil { 28 | return err 29 | } 30 | repoId := pulumi.Sprintf("cnappgoat-%s", uniqueString.Result) 31 | 32 | // Create an Artifact Registry repository 33 | repo, err := artifactregistry.NewRepository(ctx, "repository", &artifactregistry.RepositoryArgs{ 34 | Description: pulumi.String("Repository for container image"), 35 | Format: pulumi.String("DOCKER"), 36 | Location: pulumi.String(region), 37 | RepositoryId: repoId, 38 | }) 39 | if err != nil { 40 | return err 41 | } 42 | 43 | // Get client credentials 44 | clientConfig, err := organizations.GetClientConfig(ctx) 45 | if err != nil { 46 | return err 47 | } 48 | 49 | // Form the repository URL 50 | repoUrl := pulumi.Sprintf("%s-docker.pkg.dev/%s/%s", repo.Location, project, repo.RepositoryId) 51 | 52 | // Build and push the image to the private Artifact Registry repository 53 | _, err = docker.NewImage(ctx, "vulnerable-thunderbird", &docker.ImageArgs{ 54 | Build: &docker.DockerBuildArgs{ 55 | Context: pulumi.String("."), 56 | }, 57 | ImageName: pulumi.Sprintf("%s/%s:%s", repoUrl, "vulnerable-thunderbird", "latest"), 58 | Registry: docker.ImageRegistryArgs{ 59 | Server: repoUrl, 60 | Username: pulumi.String("oauth2accesstoken"), 61 | Password: pulumi.String(clientConfig.AccessToken), 62 | }, 63 | }) 64 | 65 | if err != nil { 66 | return err 67 | } 68 | 69 | ctx.Export("repositoryUrl", repoUrl) 70 | return nil 71 | }) 72 | } 73 | -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-sensitive-data-iso/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: dspm-aws-s3-organization-storage-sensitive-data-iso 2 | runtime: yaml 3 | description: The scenario provision organization access level S3 bucket containing iso files 4 | cnappgoat-params: 5 | description: In this scenario, an Amazon S3 bucket is set up with access limited to the organization 6 | and is used to store sensitive iso files. The main objective is to evaluate a data security product's 7 | capacity to identify this type of data. This evaluation is crucial for determining the product's ability 8 | to detect and protect sensitive information in cloud storage services. 9 | friendlyName: Organization access level S3 Buckets with sensitive iso files 10 | id: dspm-aws-s3-organization-storage-sensitive-data-iso 11 | module: dspm 12 | scenarioType: native 13 | platform: aws 14 | 15 | variables: 16 | myOrganization: 17 | fn::invoke: 18 | function: aws:organizations:getOrganization 19 | arguments: {} 20 | 21 | resources: 22 | 23 | # first bucket 24 | cnappgoatBucket: 25 | type: aws:s3:BucketV2 26 | properties: 27 | tags: 28 | Cnappgoat: true 29 | cnappgoatBucketOwnershipControls: 30 | type: aws:s3:BucketOwnershipControls 31 | properties: 32 | bucket: ${cnappgoatBucket.id} 33 | rule: 34 | objectOwnership: BucketOwnerPreferred 35 | allowAccessFromOrgPolicy: 36 | type: aws:s3:BucketPolicy 37 | properties: 38 | bucket: ${cnappgoatBucket.id} 39 | policy: | 40 | { 41 | "Version": "2012-10-17", 42 | "Statement": [ 43 | { 44 | "Sid": "Allow", 45 | "Effect": "Allow", 46 | "Principal": "*", 47 | "Action": "s3:*", 48 | "Resource": [ 49 | "arn:aws:s3:::${cnappgoatBucket.bucket}", 50 | "arn:aws:s3:::${cnappgoatBucket.bucket}/*" 51 | ], 52 | "Condition": { 53 | "StringEquals": { 54 | "aws:PrincipalOrgID": "${myOrganization.id}" 55 | } 56 | } 57 | } 58 | ] 59 | } 60 | options: 61 | dependsOn: 62 | - ${cnappgoatBucketOwnershipControls} 63 | synced-folder: 64 | type: synced-folder:index:S3BucketFolder 65 | properties: 66 | path: ./data/1 67 | bucketName: ${cnappgoatBucket.id} 68 | acl: private 69 | 70 | outputs: 71 | bucketArn: ${cnappgoatBucket.arn} 72 | bucketId: ${cnappgoatBucket.id} 73 | bucketDomainName: ${cnappgoatBucket.bucketRegionalDomainName} -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-sensitive-data-parquet/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: dspm-aws-s3-organization-storage-sensitive-data-parquet 2 | runtime: yaml 3 | description: The scenario provision organization access level S3 bucket containing parquet files 4 | cnappgoat-params: 5 | description: In this scenario, an Amazon S3 bucket is set up with access limited to the organization 6 | and is used to store sensitive parquet files. The main objective is to evaluate a data security product's 7 | capacity to identify this type of data. This evaluation is crucial for determining the product's ability 8 | to detect and protect sensitive information in cloud storage services. 9 | friendlyName: Organization access level S3 Buckets with sensitive parquet files 10 | id: dspm-aws-s3-organization-storage-sensitive-data-parquet 11 | module: dspm 12 | scenarioType: native 13 | platform: aws 14 | 15 | variables: 16 | myOrganization: 17 | fn::invoke: 18 | function: aws:organizations:getOrganization 19 | arguments: {} 20 | 21 | resources: 22 | 23 | # first bucket 24 | cnappgoatBucket: 25 | type: aws:s3:BucketV2 26 | properties: 27 | tags: 28 | Cnappgoat: true 29 | cnappgoatBucketOwnershipControls: 30 | type: aws:s3:BucketOwnershipControls 31 | properties: 32 | bucket: ${cnappgoatBucket.id} 33 | rule: 34 | objectOwnership: BucketOwnerPreferred 35 | allowAccessFromOrgPolicy: 36 | type: aws:s3:BucketPolicy 37 | properties: 38 | bucket: ${cnappgoatBucket.id} 39 | policy: | 40 | { 41 | "Version": "2012-10-17", 42 | "Statement": [ 43 | { 44 | "Sid": "Allow", 45 | "Effect": "Allow", 46 | "Principal": "*", 47 | "Action": "s3:*", 48 | "Resource": [ 49 | "arn:aws:s3:::${cnappgoatBucket.bucket}", 50 | "arn:aws:s3:::${cnappgoatBucket.bucket}/*" 51 | ], 52 | "Condition": { 53 | "StringEquals": { 54 | "aws:PrincipalOrgID": "${myOrganization.id}" 55 | } 56 | } 57 | } 58 | ] 59 | } 60 | options: 61 | dependsOn: 62 | - ${cnappgoatBucketOwnershipControls} 63 | synced-folder: 64 | type: synced-folder:index:S3BucketFolder 65 | properties: 66 | path: ./data/1 67 | bucketName: ${cnappgoatBucket.id} 68 | acl: private 69 | 70 | outputs: 71 | bucketArn: ${cnappgoatBucket.arn} 72 | bucketId: ${cnappgoatBucket.id} 73 | bucketDomainName: ${cnappgoatBucket.bucketRegionalDomainName} -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-account-storage-basic-pii-data/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: dspm-aws-s3-account-storage-basic-pii-data 2 | runtime: yaml 3 | description: The scenario provision account access level S3 bucket containing PII data. 4 | cnappgoat-params: 5 | description: In this scenario, an Amazon Simple Storage Service (S3) bucket restricted to account access 6 | only, ands is provisioned to store personally identifiable information (PII) data. 7 | The data is maintained in two distinct files, one formatted in CSV and the other in JSON. 8 | The primary purpose of this scenario is to emulate an AWS S3 bucket containing basic sensitive information, 9 | with the goal of testing a data security product's ability to detect such data. 10 | This assessment is vital in evaluating the security product's effectiveness in identifying and 11 | safeguarding sensitive information housed within cloud-based storage services 12 | friendlyName: Account access level S3 Bucket with Basic PII Data 13 | id: dspm-aws-s3-account-storage-basic-pii-data 14 | module: dspm 15 | scenarioType: native 16 | platform: aws 17 | 18 | variables: 19 | bucketAccount: 20 | fn::invoke: 21 | function: aws:getCallerIdentity 22 | arguments: {} 23 | 24 | resources: 25 | cnappgoatBucket: 26 | type: aws:s3:BucketV2 27 | properties: 28 | tags: 29 | Cnappgoat: true 30 | cnappgoatBucketOwnershipControls: 31 | type: aws:s3:BucketOwnershipControls 32 | properties: 33 | bucket: ${cnappgoatBucket.id} 34 | rule: 35 | objectOwnership: BucketOwnerPreferred 36 | allowAccessFromOrgPolicy: 37 | type: aws:s3:BucketPolicy 38 | properties: 39 | bucket: ${cnappgoatBucket.id} 40 | policy: | 41 | { 42 | "Version": "2012-10-17", 43 | "Statement": [ 44 | { 45 | "Sid": "AllowAccessFromMyAccount", 46 | "Effect": "Allow", 47 | "Principal": { 48 | "AWS": "arn:aws:iam::${bucketAccount.accountId}:root" 49 | }, 50 | "Action": "s3:*", 51 | "Resource": "arn:aws:s3:::${cnappgoatBucket.bucket}/*" 52 | } 53 | ] 54 | } 55 | options: 56 | dependsOn: 57 | - ${cnappgoatBucketOwnershipControls} 58 | synced-folder: 59 | type: synced-folder:index:S3BucketFolder 60 | properties: 61 | path: ./data 62 | bucketName: ${cnappgoatBucket.id} 63 | acl: private 64 | 65 | outputs: 66 | bucketArn: ${cnappgoatBucket.arn} 67 | bucketId: ${cnappgoatBucket.id} 68 | domainName: ${cnappgoatBucket.bucketRegionalDomainName} 69 | bucketAccount: ${bucketAccount.accountId} 70 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/vulnerable-ec2-thunderbird/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws" 5 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ec2" 6 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 7 | ) 8 | 9 | func main() { 10 | pulumi.Run(func(ctx *pulumi.Context) error { 11 | awsProvider, err := aws.NewProvider(ctx, "awsProvider", &aws.ProviderArgs{}) 12 | 13 | if err != nil { 14 | return err 15 | } 16 | 17 | // Create a new security group that allows SSH and HTTP access 18 | group, err := ec2.NewSecurityGroup(ctx, "web-secgrp", &ec2.SecurityGroupArgs{ 19 | Description: pulumi.String("Enable SSH and HTTP access"), 20 | Ingress: ec2.SecurityGroupIngressArray{ 21 | ec2.SecurityGroupIngressArgs{ 22 | Protocol: pulumi.String("tcp"), 23 | FromPort: pulumi.Int(22), 24 | ToPort: pulumi.Int(22), 25 | CidrBlocks: pulumi.StringArray{pulumi.String("0.0.0.0/0")}, 26 | }, 27 | }, 28 | Egress: ec2.SecurityGroupEgressArray{ 29 | ec2.SecurityGroupEgressArgs{ 30 | Protocol: pulumi.String("-1"), 31 | FromPort: pulumi.Int(0), 32 | ToPort: pulumi.Int(0), 33 | CidrBlocks: pulumi.StringArray{pulumi.String("0.0.0.0/0")}, 34 | }, 35 | }, 36 | }, pulumi.Provider(awsProvider)) 37 | if err != nil { 38 | return err 39 | } 40 | 41 | // Create a new EC2 instance 42 | userData := `#!/bin/bash 43 | wget https://cdn.amazonlinux.com/2/core/2.0/x86_64/6b0225ccc542f3834c95733dcf321ab9f1e77e6ca6817469771a8af7c49efe6c/../../../../../blobstore/3b226f60ce3c33d4b04ba594484cf3f96256cf5760ef39ed031a4c452127b6c9/thunderbird-91.8.0-1.amzn2.0.1.x86_64.rpm 44 | sudo rpm -i thunderbird-91.8.0-1.amzn2.0.1.x86_64.rpm --nodeps 45 | ` 46 | 47 | // Get the latest AMI 48 | mostRecent := true 49 | amiResult, err := aws.GetAmi(ctx, &aws.GetAmiArgs{ 50 | Owners: []string{"amazon"}, 51 | MostRecent: &mostRecent, 52 | Filters: []aws.GetAmiFilter{{Name: "name", Values: []string{"amzn2-ami-hvm-2.0.*-x86_64-ebs"}}}, 53 | }) 54 | if err != nil { 55 | return err 56 | } 57 | 58 | _, err = ec2.NewInstance(ctx, "CnappgoatCWPPVulnerableEC2Thunderbird", &ec2.InstanceArgs{ 59 | Ami: pulumi.String(amiResult.Id), 60 | InstanceType: pulumi.String("t3.micro"), 61 | VpcSecurityGroupIds: pulumi.StringArray{group.ID()}, 62 | UserData: pulumi.String(userData), 63 | AssociatePublicIpAddress: pulumi.Bool(true), 64 | Tags: pulumi.StringMap{"Name": pulumi.String("cwppVulnerableVMThunderbird")}, 65 | }, pulumi.Provider(awsProvider)) 66 | if err != nil { 67 | return err 68 | } 69 | 70 | return nil 71 | }) 72 | } 73 | -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-pci-sqllite/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: dspm-aws-s3-organization-storage-pci-sqllite 2 | runtime: yaml 3 | description: The scenario provision S3 bucket thats holds an SQLite database with PCI data 4 | cnappgoat-params: 5 | description: In this scenario, an Amazon Simple Storage Service (S3) bucket, which is exclusively accessible 6 | by the organization, is established to store Payment Card Industry (PCI) data. Notably, the data is stored 7 | in an SQLite database file within the bucket, as opposed to plain text. The primary goal of this setup is 8 | to simulate an AWS S3 bucket holding sensitive information in a structured database format, in order to 9 | assess a data security product's ability to detect and safeguard such data. 10 | friendlyName: Organization access level S3 Bucket with SQLite database and PCI data 11 | id: dspm-aws-s3-organization-storage-pci-sqllite 12 | module: dspm 13 | scenarioType: native 14 | platform: aws 15 | 16 | variables: 17 | myOrganization: 18 | fn::invoke: 19 | function: aws:organizations:getOrganization 20 | arguments: {} 21 | 22 | resources: 23 | cnappgoatBucket: 24 | type: aws:s3:BucketV2 25 | properties: 26 | tags: 27 | Cnappgoat: true 28 | cnappgoatBucketOwnershipControls: 29 | type: aws:s3:BucketOwnershipControls 30 | properties: 31 | bucket: ${cnappgoatBucket.id} 32 | rule: 33 | objectOwnership: BucketOwnerPreferred 34 | allowAccessFromOrgPolicy: 35 | type: aws:s3:BucketPolicy 36 | properties: 37 | bucket: ${cnappgoatBucket.id} 38 | policy: | 39 | { 40 | "Version": "2012-10-17", 41 | "Statement": [ 42 | { 43 | "Sid": "Allow", 44 | "Effect": "Allow", 45 | "Principal": "*", 46 | "Action": "s3:*", 47 | "Resource": [ 48 | "arn:aws:s3:::${cnappgoatBucket.bucket}", 49 | "arn:aws:s3:::${cnappgoatBucket.bucket}/*" 50 | ], 51 | "Condition": { 52 | "StringEquals": { 53 | "aws:PrincipalOrgID": "${myOrganization.id}" 54 | } 55 | } 56 | } 57 | ] 58 | } 59 | options: 60 | dependsOn: 61 | - ${cnappgoatBucketOwnershipControls} 62 | synced-folder: 63 | type: synced-folder:index:S3BucketFolder 64 | properties: 65 | path: ./data 66 | bucketName: ${cnappgoatBucket.id} 67 | acl: private 68 | 69 | outputs: 70 | bucketArn: ${cnappgoatBucket.arn} 71 | bucketId: ${cnappgoatBucket.id} 72 | DomainName: ${cnappgoatBucket.bucketRegionalDomainName} 73 | -------------------------------------------------------------------------------- /scenarios/cspm/aws/ec2-open-public/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws" 5 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ec2" 6 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 7 | ) 8 | 9 | func main() { 10 | pulumi.Run(func(ctx *pulumi.Context) error { 11 | 12 | // Create a new VPC 13 | vpc, err := ec2.NewVpc(ctx, "CNAPPgoat-ec2-open-public-vpc", &ec2.VpcArgs{ 14 | CidrBlock: pulumi.String("10.0.0.0/16"), 15 | }) 16 | if err != nil { 17 | return err 18 | } 19 | 20 | // Create a new subnet 21 | subnet, err := ec2.NewSubnet(ctx, "CNAPPgoat-ec2-open-public-subnet", &ec2.SubnetArgs{ 22 | VpcId: vpc.ID(), 23 | CidrBlock: pulumi.String("10.0.1.0/24"), 24 | }) 25 | if err != nil { 26 | return err 27 | } 28 | 29 | // Create a new security group 30 | securityGroup, err := ec2.NewSecurityGroup(ctx, "CNAPPgoat-ec2-open-public-securitygroup", &ec2.SecurityGroupArgs{ 31 | VpcId: vpc.ID(), 32 | Ingress: ec2.SecurityGroupIngressArray{ 33 | ec2.SecurityGroupIngressArgs{ 34 | Protocol: pulumi.String("tcp"), 35 | FromPort: pulumi.Int(80), 36 | ToPort: pulumi.Int(80), 37 | CidrBlocks: pulumi.StringArray{ 38 | pulumi.String("0.0.0.0/0"), 39 | }, 40 | }, 41 | }, 42 | }) 43 | if err != nil { 44 | return err 45 | } 46 | 47 | // Get the AMI 48 | mostRecent := true 49 | amiResult, err := aws.GetAmi(ctx, &aws.GetAmiArgs{ 50 | Owners: []string{"amazon"}, 51 | MostRecent: &mostRecent, 52 | Filters: []aws.GetAmiFilter{{Name: "name", Values: []string{"amzn2-ami-hvm-2.0.*-x86_64-ebs"}}}, 53 | }) 54 | if err != nil { 55 | return err 56 | } 57 | 58 | // Create a new EC2 instance 59 | ec2, err := ec2.NewInstance(ctx, "CNAPPgoat-ec2-open-public-instance", &ec2.InstanceArgs{ 60 | InstanceType: pulumi.String("t2.micro"), 61 | AssociatePublicIpAddress: pulumi.BoolPtr(true), 62 | VpcSecurityGroupIds: pulumi.StringArray{ 63 | securityGroup.ID(), 64 | }, 65 | SubnetId: subnet.ID(), 66 | Ami: pulumi.String(amiResult.Id), 67 | UserData: pulumi.String(`#!/bin/bash 68 | echo "Hello, World!" > index.html 69 | nohup python -m SimpleHTTPServer 80 &`), 70 | Tags: pulumi.StringMap{ 71 | "Name": pulumi.String("CNAPPgoat-ec2-open-public-instance"), 72 | "Cnappgoat": pulumi.String("true"), 73 | }, 74 | }) 75 | if err != nil { 76 | return err 77 | } 78 | ctx.Export("CNAPPgoat-ec2-open-public-vpc", vpc.Arn) 79 | ctx.Export("CNAPPgoat-ec2-open-public-subnet", subnet.Arn) 80 | ctx.Export("CNAPPgoat-ec2-open-public-securitygroup", securityGroup.Arn) 81 | ctx.Export("CNAPPgoat-ec2-open-public-instance", ec2.Arn) 82 | return nil 83 | }) 84 | } 85 | -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-pci-data/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: dspm-aws-s3-organization-storage-pci-data 2 | runtime: yaml 3 | description: The scenario provision organization access level S3 bucket containing PCI data. 4 | cnappgoat-params: 5 | description: In this scenario, an Amazon Simple Storage Service (S3) bucket restricted to organization access 6 | only is provisioned to store payment card industry (PCI) data. 7 | The data is maintained in two distinct files. The primary purpose of this scenario is to emulate an AWS S3 bucket containing basic sensitive information, 8 | with the goal of testing a data security product's ability to detect such data. 9 | This assessment is vital in evaluating the security product's effectiveness in identifying and 10 | safeguarding sensitive information housed within cloud-based storage services 11 | friendlyName: Organization access level S3 Bucket with PCI data 12 | id: dspm-aws-s3-organization-storage-pci-data 13 | module: dspm 14 | scenarioType: native 15 | platform: aws 16 | 17 | variables: 18 | myOrganization: 19 | fn::invoke: 20 | function: aws:organizations:getOrganization 21 | arguments: {} 22 | 23 | resources: 24 | cnappgoatBucket: 25 | type: aws:s3:BucketV2 26 | properties: 27 | tags: 28 | Cnappgoat: true 29 | cnappgoatBucketOwnershipControls: 30 | type: aws:s3:BucketOwnershipControls 31 | properties: 32 | bucket: ${cnappgoatBucket.id} 33 | rule: 34 | objectOwnership: BucketOwnerPreferred 35 | allowAccessFromOrgPolicy: 36 | type: aws:s3:BucketPolicy 37 | properties: 38 | bucket: ${cnappgoatBucket.id} 39 | policy: | 40 | { 41 | "Version": "2012-10-17", 42 | "Statement": [ 43 | { 44 | "Sid": "Allow", 45 | "Effect": "Allow", 46 | "Principal": "*", 47 | "Action": "s3:*", 48 | "Resource": [ 49 | "arn:aws:s3:::${cnappgoatBucket.bucket}", 50 | "arn:aws:s3:::${cnappgoatBucket.bucket}/*" 51 | ], 52 | "Condition": { 53 | "StringEquals": { 54 | "aws:PrincipalOrgID": "${myOrganization.id}" 55 | } 56 | } 57 | } 58 | ] 59 | } 60 | options: 61 | dependsOn: 62 | - ${cnappgoatBucketOwnershipControls} 63 | synced-folder: 64 | type: synced-folder:index:S3BucketFolder 65 | properties: 66 | path: ./data 67 | bucketName: ${cnappgoatBucket.id} 68 | acl: private 69 | 70 | outputs: 71 | bucketArn: ${cnappgoatBucket.arn} 72 | bucketId: ${cnappgoatBucket.id} 73 | DomainName: ${cnappgoatBucket.bucketRegionalDomainName} 74 | -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-phi-data/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: dspm-aws-s3-organization-storage-phi-data 2 | runtime: yaml 3 | description: The scenario provision organization access level S3 bucket containing PHI data. 4 | cnappgoat-params: 5 | description: In this scenario, an Amazon Simple Storage Service (S3) bucket restricted to organization access 6 | only is provisioned to store protected health information (PHI) data. 7 | The data is maintained in two distinct files. The primary purpose of this scenario is to emulate an AWS S3 bucket containing basic sensitive information, 8 | with the goal of testing a data security product's ability to detect such data. 9 | This assessment is vital in evaluating the security product's effectiveness in identifying and 10 | safeguarding sensitive information housed within cloud-based storage services 11 | friendlyName: Organization access level S3 Bucket with PHI data 12 | id: dspm-aws-s3-organization-storage-phi-data 13 | module: dspm 14 | scenarioType: native 15 | platform: aws 16 | 17 | variables: 18 | myOrganization: 19 | fn::invoke: 20 | function: aws:organizations:getOrganization 21 | arguments: {} 22 | 23 | resources: 24 | cnappgoatBucket: 25 | type: aws:s3:BucketV2 26 | properties: 27 | tags: 28 | Cnappgoat: true 29 | cnappgoatBucketOwnershipControls: 30 | type: aws:s3:BucketOwnershipControls 31 | properties: 32 | bucket: ${cnappgoatBucket.id} 33 | rule: 34 | objectOwnership: BucketOwnerPreferred 35 | allowAccessFromOrgPolicy: 36 | type: aws:s3:BucketPolicy 37 | properties: 38 | bucket: ${cnappgoatBucket.id} 39 | policy: | 40 | { 41 | "Version": "2012-10-17", 42 | "Statement": [ 43 | { 44 | "Sid": "Allow", 45 | "Effect": "Allow", 46 | "Principal": "*", 47 | "Action": "s3:*", 48 | "Resource": [ 49 | "arn:aws:s3:::${cnappgoatBucket.bucket}", 50 | "arn:aws:s3:::${cnappgoatBucket.bucket}/*" 51 | ], 52 | "Condition": { 53 | "StringEquals": { 54 | "aws:PrincipalOrgID": "${myOrganization.id}" 55 | } 56 | } 57 | } 58 | ] 59 | } 60 | options: 61 | dependsOn: 62 | - ${cnappgoatBucketOwnershipControls} 63 | synced-folder: 64 | type: synced-folder:index:S3BucketFolder 65 | properties: 66 | path: ./data 67 | bucketName: ${cnappgoatBucket.id} 68 | acl: private 69 | 70 | outputs: 71 | bucketArn: ${cnappgoatBucket.arn} 72 | bucketId: ${cnappgoatBucket.id} 73 | DomainName: ${cnappgoatBucket.bucketRegionalDomainName} 74 | -------------------------------------------------------------------------------- /scenarios/cspm/gcp/compute-public-image-registry/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 5 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/artifactregistry" 6 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/config" 7 | "github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/organizations" 8 | "github.com/pulumi/pulumi-random/sdk/v4/go/random" 9 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 10 | ) 11 | 12 | func main() { 13 | pulumi.Run(func(ctx *pulumi.Context) error { 14 | // Get the GCP project and region from the default configuration 15 | project := config.GetProject(ctx) 16 | region := config.GetRegion(ctx) 17 | 18 | // Generate a unique Artifact Registry repository ID 19 | uniqueString, err := random.NewRandomString(ctx, "unique-string", &random.RandomStringArgs{ 20 | Length: pulumi.Int(4), 21 | Lower: pulumi.Bool(true), 22 | Upper: pulumi.Bool(false), 23 | Numeric: pulumi.Bool(true), 24 | Special: pulumi.Bool(false), 25 | }) 26 | if err != nil { 27 | return err 28 | } 29 | repoId := pulumi.Sprintf("cnappgoat-%s", uniqueString.Result) 30 | 31 | // Create an Artifact Registry repository 32 | repo, err := artifactregistry.NewRepository(ctx, "repository", &artifactregistry.RepositoryArgs{ 33 | Description: pulumi.String("Repository for container image"), 34 | Format: pulumi.String("DOCKER"), 35 | Location: pulumi.String(region), 36 | RepositoryId: repoId, 37 | }) 38 | if err != nil { 39 | return err 40 | } 41 | 42 | // Get client credentials 43 | clientConfig, err := organizations.GetClientConfig(ctx) 44 | if err != nil { 45 | return err 46 | } 47 | 48 | // Form the repository URL 49 | repoUrl := pulumi.Sprintf("%s-docker.pkg.dev/%s/%s", repo.Location, project, repo.RepositoryId) 50 | 51 | // Build and push the image to the private Artifact Registry repository 52 | _, err = docker.NewImage(ctx, "cnappgoat-image", &docker.ImageArgs{ 53 | Build: &docker.DockerBuildArgs{ 54 | Context: pulumi.String("."), 55 | }, 56 | ImageName: pulumi.Sprintf("%s/%s:%s", repoUrl, "cnappgoat-public-image", "latest"), 57 | Registry: docker.ImageRegistryArgs{ 58 | Server: repoUrl, 59 | Username: pulumi.String("oauth2accesstoken"), 60 | Password: pulumi.String(clientConfig.AccessToken), 61 | }, 62 | }) 63 | if err != nil { 64 | return err 65 | } 66 | _, err = artifactregistry.NewRepositoryIamMember(ctx, "publicImageIamMember", &artifactregistry.RepositoryIamMemberArgs{ 67 | Location: pulumi.String(region), 68 | Repository: repo.RepositoryId, 69 | Role: pulumi.String("roles/artifactregistry.reader"), 70 | Member: pulumi.String("allUsers"), 71 | }) 72 | if err != nil { 73 | return err 74 | } 75 | 76 | ctx.Export("repositoryUrl", repoUrl) 77 | return nil 78 | }) 79 | } 80 | -------------------------------------------------------------------------------- /scenarios/dspm/aws/s3-organization-storage-basic-pii-data/Pulumi.yaml: -------------------------------------------------------------------------------- 1 | name: dspm-aws-s3-organization-storage-basic-pii-data 2 | runtime: yaml 3 | description: The scenario provision Organization access level S3 bucket containing PII data. 4 | cnappgoat-params: 5 | description: In this scenario, an Amazon Simple Storage Service (S3) bucket restricted to organization access 6 | only is provisioned to store personally identifiable information (PII) data. 7 | The data is maintained in two distinct files, one formatted in CSV and the other in JSON. 8 | The primary purpose of this scenario is to emulate an AWS S3 bucket containing basic sensitive information, 9 | with the goal of testing a data security product's ability to detect such data. 10 | This assessment is vital in evaluating the security product's effectiveness in identifying and 11 | safeguarding sensitive information housed within cloud-based storage services 12 | friendlyName: Organization access level S3 Bucket with Basic PII Data 13 | id: dspm-aws-s3-organization-storage-basic-pii-data 14 | module: dspm 15 | scenarioType: native 16 | platform: aws 17 | 18 | variables: 19 | myOrganization: 20 | fn::invoke: 21 | function: aws:organizations:getOrganization 22 | arguments: {} 23 | 24 | resources: 25 | cnappgoatBucket: 26 | type: aws:s3:BucketV2 27 | properties: 28 | tags: 29 | Cnappgoat: true 30 | cnappgoatBucketOwnershipControls: 31 | type: aws:s3:BucketOwnershipControls 32 | properties: 33 | bucket: ${cnappgoatBucket.id} 34 | rule: 35 | objectOwnership: BucketOwnerPreferred 36 | allowAccessFromOrgPolicy: 37 | type: aws:s3:BucketPolicy 38 | properties: 39 | bucket: ${cnappgoatBucket.id} 40 | policy: | 41 | { 42 | "Version": "2012-10-17", 43 | "Statement": [ 44 | { 45 | "Sid": "Allow", 46 | "Effect": "Allow", 47 | "Principal": "*", 48 | "Action": "s3:*", 49 | "Resource": [ 50 | "arn:aws:s3:::${cnappgoatBucket.bucket}", 51 | "arn:aws:s3:::${cnappgoatBucket.bucket}/*" 52 | ], 53 | "Condition": { 54 | "StringEquals": { 55 | "aws:PrincipalOrgID": "${myOrganization.id}" 56 | } 57 | } 58 | } 59 | ] 60 | } 61 | options: 62 | dependsOn: 63 | - ${cnappgoatBucketOwnershipControls} 64 | synced-folder: 65 | type: synced-folder:index:S3BucketFolder 66 | properties: 67 | path: ./data 68 | bucketName: ${cnappgoatBucket.id} 69 | acl: private 70 | 71 | outputs: 72 | bucketArn: ${cnappgoatBucket.arn} 73 | bucketId: ${cnappgoatBucket.id} 74 | DomainName: ${cnappgoatBucket.bucketRegionalDomainName} 75 | -------------------------------------------------------------------------------- /scenarios/cwpp/aws/end-of-life-ec2/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws" 5 | "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ec2" 6 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 7 | ) 8 | 9 | func main() { 10 | pulumi.Run(func(ctx *pulumi.Context) error { 11 | awsProvider, err := aws.NewProvider(ctx, "awsProvider", &aws.ProviderArgs{}) 12 | 13 | if err != nil { 14 | return err 15 | } 16 | 17 | // Create a new VPC 18 | vpc, err := ec2.NewVpc(ctx, "custom-vpc", &ec2.VpcArgs{ 19 | CidrBlock: pulumi.String("10.0.0.0/16"), 20 | }, pulumi.Provider(awsProvider)) 21 | if err != nil { 22 | return err 23 | } 24 | 25 | // Create a new subnet in the VPC 26 | subnet, err := ec2.NewSubnet(ctx, "custom-subnet", &ec2.SubnetArgs{ 27 | VpcId: vpc.ID(), 28 | CidrBlock: pulumi.String("10.0.1.0/24"), 29 | 30 | }, pulumi.Provider(awsProvider)) 31 | if err != nil { 32 | return err 33 | } 34 | 35 | // Create a new security group that allows SSH and HTTP access 36 | group, err := ec2.NewSecurityGroup(ctx, "web-secgrp", &ec2.SecurityGroupArgs{ 37 | VpcId: vpc.ID(), 38 | Description: pulumi.String("Enable SSH and HTTP access"), 39 | Ingress: ec2.SecurityGroupIngressArray{ 40 | ec2.SecurityGroupIngressArgs{ 41 | Protocol: pulumi.String("tcp"), 42 | FromPort: pulumi.Int(22), 43 | ToPort: pulumi.Int(22), 44 | CidrBlocks: pulumi.StringArray{pulumi.String("0.0.0.0/0")}, 45 | }, 46 | }, 47 | Egress: ec2.SecurityGroupEgressArray{ 48 | ec2.SecurityGroupEgressArgs{ 49 | Protocol: pulumi.String("-1"), 50 | FromPort: pulumi.Int(0), 51 | ToPort: pulumi.Int(0), 52 | CidrBlocks: pulumi.StringArray{pulumi.String("0.0.0.0/0")}, 53 | }, 54 | }, 55 | }, pulumi.Provider(awsProvider)) 56 | if err != nil { 57 | return err 58 | } 59 | 60 | // Get the Ubuntu 21.10 AMI 61 | mostRecent := true 62 | amiResult, err := aws.GetAmi(ctx, &aws.GetAmiArgs{ 63 | Owners: []string{"amazon"}, 64 | MostRecent: &mostRecent, 65 | Filters: []aws.GetAmiFilter{{Name: "name", Values: []string{"ubuntu*21.10*"}}, 66 | {Name: "architecture", Values: []string{"x86_64"}}}, 67 | }) 68 | if err != nil { 69 | return err 70 | } 71 | 72 | _, err = ec2.NewInstance(ctx, "CnappgoatCWPPEndOfLifeEC2", &ec2.InstanceArgs{ 73 | Ami: pulumi.String(amiResult.Id), 74 | InstanceType: pulumi.String("t2.micro"), 75 | VpcSecurityGroupIds: pulumi.StringArray{group.ID()}, 76 | SubnetId: subnet.ID(), // associate the instance with the subnet 77 | AssociatePublicIpAddress: pulumi.Bool(true), 78 | Tags: pulumi.StringMap{"Name": pulumi.String("CnappgoatCWPPEndOfLifeEC2")}, 79 | }, pulumi.Provider(awsProvider)) 80 | if err != nil { 81 | return err 82 | } 83 | 84 | return nil 85 | }) 86 | } 87 | -------------------------------------------------------------------------------- /scenarios/cwpp/azure/malicious-container-xmrig-on-acr/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "github.com/pulumi/pulumi-azure-native-sdk/containerregistry" 5 | "github.com/pulumi/pulumi-azure-native-sdk/resources" 6 | "github.com/pulumi/pulumi-docker/sdk/v3/go/docker" 7 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi" 8 | "github.com/pulumi/pulumi/sdk/v3/go/pulumi/config" 9 | ) 10 | 11 | func main() { 12 | pulumi.Run(func(ctx *pulumi.Context) error { 13 | // Read the desired region from the Pulumi configuration 14 | cfg := config.New(ctx, "azure-native") 15 | azureLocation := cfg.Require("location") 16 | 17 | // Create an Azure Resource Group 18 | resourceGroup, err := resources.NewResourceGroup(ctx, "cnappgoat", &resources.ResourceGroupArgs{ 19 | Location: pulumi.String(azureLocation), 20 | }) 21 | if err != nil { 22 | return err 23 | } 24 | 25 | // Create an Azure Container Registry 26 | acr, err := containerregistry.NewRegistry(ctx, "cnappgoatACR", &containerregistry.RegistryArgs{ 27 | ResourceGroupName: resourceGroup.Name, 28 | Location: resourceGroup.Location, 29 | Sku: &containerregistry.SkuArgs{ 30 | Name: pulumi.String("Basic"), 31 | }, 32 | AdminUserEnabled: pulumi.Bool(true), 33 | }) 34 | if err != nil { 35 | return err 36 | } 37 | 38 | // Get the ACR credentials 39 | acrCreds := pulumi.All(resourceGroup.Name, acr.Name).ApplyT( 40 | func(args []interface{}) (*containerregistry.ListRegistryCredentialsResult, error) { 41 | resourceGroupName := args[0].(string) 42 | registryName := args[1].(string) 43 | return containerregistry.ListRegistryCredentials(ctx, &containerregistry.ListRegistryCredentialsArgs{ 44 | ResourceGroupName: resourceGroupName, 45 | RegistryName: registryName, 46 | }) 47 | }, 48 | ) 49 | 50 | adminUsername := acrCreds.ApplyT(func(result interface{}) (string, error) { 51 | credentials := result.(*containerregistry.ListRegistryCredentialsResult) 52 | return *credentials.Username, nil 53 | }).(pulumi.StringOutput) 54 | adminPassword := acrCreds.ApplyT(func(result interface{}) (string, error) { 55 | credentials := result.(*containerregistry.ListRegistryCredentialsResult) 56 | return *credentials.Passwords[0].Value, nil 57 | }).(pulumi.StringOutput) 58 | 59 | // Build and push the image to the private ACR repository 60 | _, err = docker.NewImage(ctx, "malicious-xmrig", &docker.ImageArgs{ 61 | Build: &docker.DockerBuildArgs{ 62 | Context: pulumi.String("."), 63 | Dockerfile: pulumi.String("Dockerfile"), 64 | }, 65 | ImageName: pulumi.Sprintf("%s/%s:%s", acr.LoginServer, "malicious-xmrig", "latest"), 66 | Registry: docker.ImageRegistryArgs{ 67 | Server: acr.LoginServer, 68 | Username: adminUsername, 69 | Password: adminPassword, 70 | }, 71 | }) 72 | if err != nil { 73 | return err 74 | } 75 | 76 | ctx.Export("acrLoginServer", acr.LoginServer) 77 | return nil 78 | }) 79 | } 80 | --------------------------------------------------------------------------------