⚠️ AWS ECR & EKS Security Masterclass - From Exploitation to Defense ⚠️

Authored by Anjali Shukla & Divyanshu Shukla for kubernetesvillage community.

Workshop Overview

The AWS EKS Red Team Masterclass - From Exploitation to Defense is an immersive workshop designed to take participants through real-world scenarios of attacking and defending Kubernetes clusters hosted on AWS EKS.

This workshop provides a comprehensive approach, from understanding the anatomy of attacks on EKS clusters using AWS ECR to deploying robust defense mechanisms. Participants will learn how to backdoor AWS ECR image & exploit misconfigurations and vulnerabilities within AWS EKS, followed by the implementation of best security practices to safeguard the environment.

• Key Takeaways:
  • Hands-on labs focused on exploiting EKS misconfigurations.
  • Techniques for lateral movement, privilege escalation, and post-exploitation using AWS ECR in AWS EKS .
  • Deep dive into securing AWS EKS clusters by leveraging IAM roles and AWS ECR.

This workshop is tailored for security professionals, cloud engineers, and DevOps teams looking to enhance their understanding of offensive and defensive Kubernetes security strategies.

🚀 Prerequisites for EKS Security Workshop 🚀

• ❗ Gmail Account
  • Gmail account to access the documentation.
• 🔧 GitHub Codespace Setup
  • Set up GitHub for Codespace so that the lab can be configured & deployed.
• 🔑 Bring Your Own AWS Account
  • Participants are required to bring an AWS account with billing enabled and admin privileges.
• 💻 Laptop with Browser
  • Laptop with an updated browser (Administrative Privileges if required).

Setup & Walkthrough Documentation

• Deployment Documentation

Credits

Reach out in case of missing credits.

• Kubernetes Architecture
• Credits for image: Offensive Security Say – Try Harder!
• madhuakula
• vulhub
• Amazon EKS Security Immersion Day
• eksworkshop.com - GuardDuty Log Monitoring
• Kubernetes Architecture
• Tech Blog by Anoop Ka - Kyverno
• Microsoft Attack Matrix for Kubernetes
• Datadog Security Labs - EKS Attacking & Securing Cloud Identities
• HackTricks AWS EKS Enumeration
• AWS EKS Best Practices
• Amazon EMR IAM Setup for EKS
• AWS EKS Pod Identities
• Anais URL - Container Image Layers Explained
• GitLab - Beginner’s Guide to Container Security
• Wiz.io Academy - What is Container Security
• JFrog Blog - 10 Helm Tutorials
• Datadog Security Labs - EKS Cluster Access Management
• ChatGPT - For Re-phrasing & Re-writing
• Okey Ebere Blessing - AWS EKS Authentication & Authorization
• Microsoft Blog - Attack Matrix for Kubernetes
• Subbaraj Penmetsa - OPA Gatekeeper for Amazon EKS
• Open Policy Agent GitHub
• OPA Gatekeeper Documentation
• Gatekeeper Library on GitHub
• CDK EKS Blueprints - OPA Gatekeeper
• AWS EKS Documentation
• Datadog Security Labs - EKS Attacking & Securing Cloud Identities
• Cloud HackTricks Kubernetes Enumeration
• Attacking & Defending Kubernetes training

Disclaimer

• The information, commands, and demonstrations presented in this course, AWS EKS Red Team Masterclass - From Exploitation to Defense, are intended strictly for educational purposes. Under no circumstances should they be used to compromise or attack any system outside the boundaries of this educational session unless explicit permission has been granted.

  • This course is provided by the instructors independently and is not endorsed by their employers or any other corporate entity. The content does not necessarily reflect the views or policies of any company or professional organization associated with the instructors.

• Usage of Training Material: The training material is provided without warranties or guarantees. Participants are responsible for applying the techniques or methods discussed during the training. The trainers and their respective employers or affiliated companies are not liable for any misuse or misapplication of the information provided.

• Liability: The trainers, their employers, and any affiliated companies are not responsible for any direct, indirect, incidental, or consequential damages arising from the use of the information provided in this course. No responsibility is assumed for any injury or damage to persons, property, or systems as a result of using or operating any methods, products, instructions, or ideas discussed during the training.

• Intellectual Property: This course and all accompanying materials, including slides, worksheets, and documentation, are the intellectual property of the trainers. They are shared under the Apache License 2.0, which requires that appropriate credit be given to the trainers whenever the materials are used, modified, or redistributed.

• References: Some of the labs referenced in this workshop are based on open-source materials available at Amazon EKS Security Immersion Day GitHub repository, licensed under the MIT License. Additionally, modifications and fixes have been applied using AI tools such as Amazon Q, ChatGPT, and Gemini.

• Educational Purpose: This lab is for educational purposes only. Do not attack or test any website or network without proper authorization. The trainers are not liable or responsible for any misuse.

• Usage Rights: Individuals are permitted to use this course for instructional purposes, provided that no fees are charged to the students.

Note: Currently unable to provide the support in case facing any deployment issue. This lab is for educational purposes only. Do not attack or test any website or network without proper authorization. The trainers are not liable or responsible for any misuse and this course provided independently and is not endorsed by their employers or any other corporate entity. Refer to disclaimer section at ekssecurity.kubernetesvillage.com