Workshop

Seasides 2025 Edition

EKS Goat: AWS EKS Security Masterclass

The EKS Goat: AWS EKS Security Masterclass is an immersive security workshop designed to take participants through real-world scenarios of attacking and defending Kubernetes clusters hosted on AWS EKS.

This workshop provides a comprehensive approach, from understanding the anatomy of attacks on EKS clusters to deploying robust defense mechanisms. Participants will learn
how to exploit misconfigurations and vulnerabilities within AWS EKS, followed by the implementation of best security practices to safeguard the environment.

1. Welcome, Introduction, and Agenda (9:00 – 9:15 AM)

  • Brief introduction to the training and its objectives.
  • Outline the flow of the day.

2. Prerequisites Overview (9:15 – 9:30 AM)

  • Discuss setup requirements for AWS accounts and GitHub Codespace.

3. Lab Environment Setup (9:30 – 10:15 AM)

  • Guide participants through:
    • Setting up AWS IAM Users.
    • Configuring GitHub Codespace for labs.

4. Container Security Overview (10:15 – 10:45 AM)

  • Cover the basics of Docker:
    • Images, layers, and namespaces.
    • Understanding how Docker underpins containerized environments.

5. Docker Security (10:45 – 11:15 AM)

  • Discuss Docker-specific security features:
    • Secrets management.
    • Static analysis using tools like Dockle, Hadolint, and Docker Bench.

6. AWS ECR Overview (11:30 – 12:00 PM)

  • Introduce AWS Elastic Container Registry (ECR):
    • Pushing and running Docker images.
    • Securing container images in ECR.

7. AWS EKS Fundamentals (12:00 – 12:45 PM)

  • Overview of Kubernetes and AWS EKS:
    • Key components and terminologies.
    • Kubernetes architecture basics.

8. Lab: Deploying Vulnerable Infrastructure (1:45 – 2:30 PM)

  • Deploy a vulnerable AWS EKS setup for hands-on practice.

9. Labs on Exploiting EKS (2:30 – 3:15 PM)

  • Hands-on activities to exploit EKS vulnerabilities:
    • Credential exfiltration.
    • Enumerating ECR repositories.
    • Breaking out from pods to nodes.

10. Automated Scanning in EKS (3:30 – 4:15 PM)

  • Demonstrate tools for scanning and vulnerability detection:
    • Kubescape for misconfiguration scanning.
    • Kubebench for benchmarking security.

11. Defense & Hardening in EKS (4:15 – 5:00 PM)

  • Cover best practices for securing EKS:
    • Role-Based Access Control (RBAC).
    • Policies with Kyverno and CEL.
    • Threat detection using AWS GuardDuty.
    • Runtime security with eBPF Tetragon.

Please use a new or dedicated AWS account for these operations. Some commands may delete data or resources within the AWS environment.

The authors assume no responsibility for any data loss or unintended consequences resulting from the use of these commands.

• Hands-on labs focused on exploiting EKS misconfigurations.

• Techniques for lateral movement, privilege escalation, and post-exploitation in AWS EKS.

• Deep dive into securing AWS EKS clusters by leveraging IAM roles, Kubernetes RBAC, and network policies.

• Best practices for automating vulnerability detection and defence mechanisms in AWS EKS environments.

• Documentation: ekssecurity.kubernetesvillage.com

This workshop is tailored for security professionals, cloud engineers, and DevOps teams looking to enhance their understanding of offensive and defensive Kubernetes security strategies.