DEV Community

Cover image for Setting up AWS Goat
Bennet Sharwin
Bennet Sharwin

Posted on

Setting up AWS Goat

#aws #webtesting

Objective

Run AWS Goat on a real AWS account → practice discovery & remediation on actual AWS infrastructure with real IAM policies, real networking, and real cloud attack paths.

Goals & constraints

  1. Goal: Deploy AWS Goat on a real AWS account to understand how vulnerable services behave in an actual cloud environment.

  2. Constraint: Minimize charges - destroy resources when done. Monitor billing → Free Tier covers most AWS Goat labs.

Required tools

  • AWS Account (Free Tier works)

  • AWS CLI

  • Terraform

  • Kali/Parrot VM (attacker environment)

  • IDE for editing Terraform files (VSCode recommended)

High-level architecture

  1. Real AWS Account - all resources deployed into AWS cloud.

  2. Terraform - provisions vulnerable AWS Goat modules.

  3. Attacker VM - uses AWS CLI/SDKs to enumerate & exploit.

  4. Control machine - where Terraform & AWS CLI run.

Isolation: use a separate AWS account or AWS Organizations sub-account to avoid contaminating production environments.

AWS Goat Pentesting Lab

1. Configure AWS CLI for real AWS

Create an AWS profile:

aws configure --profile awsgoat
Enter fullscreen mode Exit fullscreen mode

Use your real AWS credentials:

AWS Access Key ID: <YOUR_KEY>
AWS Secret Access Key: <YOUR_SECRET>
Default region name: us-east-1
Default output format: json
Enter fullscreen mode Exit fullscreen mode

You can find the keys or create a new one by going to AWS console go Your account > Security Credentials > Create Access Key

Environment variable are needed because terraform uses it to find the Access Keys:

export AWS_PROFILE=awsgoat
export AWS_DEFAULT_REGION=us-east-1
export AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxx
export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxx
Enter fullscreen mode Exit fullscreen mode

add this in your .bashrc or run them in the current terminal session (recommended).
The profile name should be same as the one that you have configured aws command with.

2. Clone AWS Goat repository 

git clone https://github.com/ine-labs/AWSGoat
cd AWSGoat/modules/module-1
Enter fullscreen mode Exit fullscreen mode

3. Use the default Terraform provider

Your provider should look like this in the main.tf file:

provider "aws" {
  region = "us-east-1"
}
Enter fullscreen mode Exit fullscreen mode

Terraform will now connect directly to AWS.

4. Initialize Terraform 

terraform init
Enter fullscreen mode Exit fullscreen mode

terraform init

5. Deploy AWS Goat to real AWS 

terraform apply -auto-approve
Enter fullscreen mode Exit fullscreen mode

Terraform will start provisioning vulnerable infrastructure: S3 buckets, Lambda, IAM roles, EC2, API Gateway, etc.

provisioning

Grab a coffee, this will take a few minutes.

Completion

6. Verify AWS Goat resources in AWS

List S3 buckets:

aws s3 ls --profile awsgoat
Enter fullscreen mode Exit fullscreen mode

profile

List Lambda functions:

aws lambda list-functions --profile awsgoat
Enter fullscreen mode Exit fullscreen mode

list-functions

List EC2 instances:

aws ec2 describe-instances --profile awsgoat
Enter fullscreen mode Exit fullscreen mode

describe-instances

Now the instances have been created and a public URL has been generated, after the pentesting you can destroy everything you have created using terraform itself.

Cleanup (important)

Always destroy resources when finished:

terraform destroy -auto-approve
Enter fullscreen mode Exit fullscreen mode

This prevents unnecessary AWS charges.

Disclaimer

This setup is designed to run within the AWS Free Tier by default. However, staying within the Free Tier is not guaranteed. Usage beyond the intended scope, leaving resources running longer than necessary, or modifying the deployment may result in charges. Always monitor your AWS billing dashboard and ensure all provisioned resources are properly destroyed when no longer needed.

Top comments (0)