๐งจ OWASP EKS Goat โ AWS EKS Lab
Intro: OWASP EKS Goat is one of the most valuable advanced labs for cloud-native teams because it teaches both how compromise happens and how to harden and detect it in AWS EKS.
What this page includes
- why EKS Goat deserves a separate place in this knowledge base;
- what attack and defense scenarios it covers;
- how to use it safely as a training environment;
- how to turn it into a meaningful Product Security learning exercise.
What it is
OWASP EKS Goat is a hands-on AWS EKS security lab built around real-world attack and defense techniques for managed Kubernetes clusters on AWS.
Its value is that it explicitly connects:
- application compromise;
- IAM and workload identity problems;
- ECR image trust failures;
- RBAC abuse;
- pod-to-node breakout;
- defensive controls like Kubescape, Kyverno, Tetragon, and GuardDuty.
Why it is valuable
Many Kubernetes labs teach โgeneric cluster insecurity.โ EKS Goat goes further by teaching how AWS-native identity and registry trust change the problem.
That makes it particularly useful if your real environment includes:
- EKS;
- ECR;
- IAM roles for workloads;
- managed cluster operations with AWS telemetry.
Best fit
| Persona | Fit | Why |
|---|---|---|
| Senior Kubernetes / cloud engineer | Very high | Strong AWS-native attack-and-defense coverage |
| Product Security engineer | High | Excellent for EKS review, runtime, and image-trust thinking |
| Detection / IR engineer | High | Defense scenarios map cleanly to real controls |
| Newcomer | Low to Medium | Better as a later-stage lab after Kubernetes Goat |
Prerequisites and safety
This lab uses real AWS EKS resources and is not a cheap โrun it anywhereโ exercise.
Plan for:
- a dedicated AWS account per learner or team;
- billing enabled;
- clear teardown discipline;
- a browser and a stable workstation;
- written guardrails about what is in scope.
Do not run it in a shared production account.
What it teaches especially well
Attack-side learning
- misconfigured IAM roles and IRSA-like authority problems;
- ECR credential and image trust abuse;
- metadata abuse and credential theft chains;
- web-app-to-cluster compromise;
- RBAC escalation and pod-to-node breakout;
- data exfiltration paths from AWS services.
Defense-side learning
- cluster auditing with Kubescape and kube-bench;
- Dockerfile and image linting with Hadolint and similar tools;
- Pod Security Context and policy enforcement with Kyverno;
- runtime behavior detection using Tetragon;
- GuardDuty monitoring for EKS-related events.
How to use it for learning instead of spectacle
A good EKS Goat session should produce:
- one attack-path summary;
- one IAM and workload-identity review note;
- one image-trust review note;
- one runtime-detection idea;
- one hardening change list.
If the learner finishes the lab without those artifacts, the session was probably too attack-centric.
Suggested learning sequence
Stage 1 โ environment and trust mapping
- identify cluster entry points;
- identify registry trust and image flow;
- identify which workload identities matter;
- identify where AWS permissions enter the chain.
Stage 2 โ scenario work
Focus on one or two scenarios, not all of them at once. Particularly high-value topics are:
- IMDS abuse leading to credential theft;
- ECR image backdooring;
- workload-to-node breakout;
- IAM abuse leading to data exfiltration.
Stage 3 โ defender response
After the attack-side review, document:
- what GuardDuty could and could not help with;
- what Tetragon or similar runtime tools could show;
- what policy-as-code could prevent earlier;
- what image and registry guardrails should have existed.
Best pairings in this KB
- Kubernetes Security Baseline
- Trusted Images, Harbor, and Signing
- AWS Provider-Specific Cloud Attack Chains
- Runtime Investigation Playbook for Kubernetes and Containers
- High-Signal Detection Patterns and SIEM Examples
Common mistakes
- treating it like a generic Kubernetes lab and ignoring AWS identities;
- trying to do all attack and defense topics in one session;
- not planning teardown before deployment;
- not capturing lessons about image trust and workload identity.
References
- Official OWASP project page: https://owasp.org/www-project-eks-goat/
- Official repository: https://github.com/OWASP/www-project-eks-goat
- Walkthrough: https://eksgoat.peachycloudsecurity.com/
---Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.