Introducing CfnGoat, a vulnerable-by-design CloudFormation training tool

CfnGoat by Bridgecrew

We’re excited to release CfnGoat 🐐, a security training project for AWS CloudFormation.

In addition to TerraGoat, our vulnerable-by-design security training project for Terraform, CfnGoat is available to teach developers how to identify and avoid AWS CloudFormation misconfigurations and security risks.

For AWS customers, CloudFormation makes cloud provisioning simple and scalable by leveraging configuration as code and automation. Along with other infrastructure as code frameworks, CloudFormation is gaining popularity as teams shift away from manual provisioning to immutable infrastructure.

While it has tons of benefits when it comes to improving DevOps efficiencies, it can also add complexity to your existing AWS infrastructure. Adding new layers of configuration can make it harder to understand what policies are being enforced and where.

At Bridgecrew, we see CloudFormation as an opportunity to help shift cloud security earlier in the development lifecycle, but we also know that adopting IaC comes with a learning curve. For security and compliance practitioners, staying on top of general security and compliance best practices is difficult on its own, let alone having to understand the nuances of making changes to immutable infrastructure logic.

With CnfGoat, our goal is to give developers and security engineering teams a leg up in learning how to spot bad IaC configurations without polluting your own AWS account.

How CfnGoat works

CfnGoat requires aws CLI.

aws cloudformation create-stack --stack-name cfngoat --template-body file://cfngoat.yaml --region us-east-1 --parameters ParameterKey=Password,ParameterValue=MyPassword10 --capabilities CAPABILITY_NAMED_IAM

Note: Provisioning may take at least 5 minutes.

Multiple stacks can be deployed simultaneously by changing the --stack-name and adding an Environment parameter:

aws cloudformation create-stack --stack-name cfngoat2 --template-body file://cfngoat.yaml --region us-east-1 --parameters ParameterKey=Password,ParameterValue=MyPassword10 ParameterKey=Environment,ParameterValue=dev2 --capabilities CAPABILITY_NAMED_IAM

Once deployed, you’ll be able to explore several violations of infrastructure security best practices such as:

  • Data being stored in unencrypred EBS volumes
  • Data being publicly available through weak S3 ACL’s
  • EC2 hosts publicly exposed through weak security group configuration
  • Inability to audit S3 changes due to disabled versioning
  • Unencrypted RDS databases
  • Privilege escalation through wide-scoped IAM policies
  • Privilege escalation through API keys stored insecurely
  • And many, many more

To see full documentation and all included checks, check out CfnGoat on GitHub. We encourage you to fork the CfnGoat repo and practice troubleshooting and debugging bad infrastructure for yourself.

Scanning for misconfigs in CfnGoat with Checkov.

You can also use CfnGoat with our open-source IaC scanning tool, Checkov to highlight IaC (including CloudFormation and Terraform) misconfigurations pre-deployment. With Checkov you can scan the growing list of “vulnerable-by-design” resources that CfnGoat provisions before they hit your AWS account.

Use Checkov pre-commit hooks or linters to identify errors before getting pushed into run-time, identify common missing arguments, and explore security layering concepts like security groups and IAM hardening.

To get started, clone Checkov:

git clone
cd cfngoat

Next, install Checkov:

python3 -m pip install checkov

And use it to scan your CfnGoat:

checkov -f cfngoat.yaml

Reviewing the output, you can see dozens of failed checks including the relevant code and line numbers affected. Clicking on the Guide links will provide you with full context and impact of each policy.

You can also have Checkov only print details for failed checks with the --quiet flag:

Scanning for these violations first-hand is a great way to get acquainted with CloudFormation, common misconfigurations and their associated risks.

We hope you find this tool valuable and appreciate your contributions! Be sure to ⭐️ this project on GitHub, and join our Slack Community to meet other IaC security enthusiasts.