GoatRider
GoatRider is an AWS misconfiguration detection tool designed to identify security issues in cloud infrastructure. It scans for common misconfigurations including overpermissive IAM policies, insecure S3 buckets, unencrypted databases, exposed security groups, and other infrastructure vulnerabilities.
Installation and Setup
Install GoatRider
# Clone repository
git clone https://github.com/bridgecrewio/goatRider.git
cd goatRider
# Install Python dependencies
pip install -r requirements.txt
# Or install via pip
pip install goatrider
# Verify installation
goatrider --versionConfigure AWS Credentials
# Configure AWS CLI
aws configure
# Enter Access Key ID
# Enter Secret Access Key
# Enter default region
# Enter output format (json recommended)
# Or set environment variables
export AWS_ACCESS_KEY_ID=<your-key>
export AWS_SECRET_ACCESS_KEY=<your-secret>
export AWS_DEFAULT_REGION=us-east-1
# Verify credentials
aws sts get-caller-identityDocker Installation
# Build Docker image
docker build -t goatrider .
# Run in container
docker run -it -v ~/.aws:/root/.aws goatrider bash
# Or run directly
docker run -v ~/.aws:/root/.aws goatrider goatrider scanBasic Scanning
Run Full AWS Scan
# Scan all AWS accounts and services
goatrider scan
# Scan specific service
goatrider scan --service s3
goatrider scan --service iam
goatrider scan --service ec2
goatrider scan --service rds
# Scan specific region
goatrider scan --region us-east-1
# Scan all regions
goatrider scan --all-regionsOutput and Reporting
# Generate JSON report
goatrider scan --format json --output report.json
# Generate CSV report
goatrider scan --format csv --output report.csv
# Generate HTML report
goatrider scan --format html --output report.html
# View report
cat report.json | jq .S3 Bucket Misconfiguration Detection
Scan S3 Buckets
# Scan all S3 buckets
goatrider scan --service s3
# Check bucket public access
aws s3api get-bucket-acl --bucket <bucket-name>
# Check bucket policy
aws s3api get-bucket-policy --bucket <bucket-name>
# Check bucket encryption
aws s3api get-bucket-encryption --bucket <bucket-name>
# Check bucket versioning
aws s3api get-bucket-versioning --bucket <bucket-name>
# Check MFA delete
aws s3api get-bucket-versioning --bucket <bucket-name> | grep MFADeleteCommon S3 Issues Detected
# Public READ access
aws s3api get-bucket-acl --bucket <bucket> | grep "AllUsers\|AuthenticatedUsers"
# No encryption
aws s3api get-bucket-encryption --bucket <bucket>
# Returns error if not configured
# No versioning
aws s3api get-bucket-versioning --bucket <bucket> | grep "Status"
# No logging
aws s3api get-bucket-logging --bucket <bucket>
# No server access logging
aws s3api get-bucket-logging --bucket <bucket>
# List all buckets with public read
aws s3api list-buckets --query 'Buckets[*].Name' --output text | \
while read bucket; do
acl=$(aws s3api get-bucket-acl --bucket $bucket 2>/dev/null)
if echo $acl | grep -q "AllUsers"; then
echo "VULNERABLE: $bucket has public read access"
fi
doneIAM Policy Analysis
Scan for Overpermissive Policies
# List all IAM policies
goatrider scan --service iam
# Get specific user policies
aws iam list-attached-user-policies --user-name <username>
# Get inline policies
aws iam list-user-policies --user-name <username>
# Get policy document
aws iam get-user-policy --user-name <username> --policy-name <policy-name>
# List all roles
aws iam list-roles
# Check role policies
aws iam list-attached-role-policies --role-name <role-name>
# Get role policy document
aws iam get-role-policy --role-name <role-name> --policy-name <policy-name>Detect Wildcard Permissions
# List policies with wildcard actions
aws iam list-policies --scope Local --query 'Policies[*].[PolicyName,Arn]' --output text | while read name arn; do
policy=$(aws iam get-policy-version --policy-arn $arn --version-id $(aws iam get-policy --policy-arn $arn --query 'Policy.DefaultVersionId' --output text) --query 'PolicyVersion.Document' --output json)
if echo $policy | grep -q '"Action".*"\*"'; then
echo "VULNERABLE: $name has wildcard actions"
fi
done
# Detect overpermissive S3 access
aws iam list-policies --scope Local | jq '.Policies[] | select(.PolicyName | contains("s3")) | .Arn' | while read arn; do
aws iam get-policy-version --policy-arn $arn --version-id $(aws iam get-policy --policy-arn $arn --query 'Policy.DefaultVersionId' --output text) --query 'PolicyVersion.Document' | jq '.Statement[] | select(.Action == "s3:*")'
doneEC2 Security Group Analysis
Detect Open Security Groups
# List all security groups
aws ec2 describe-security-groups
# Find groups with overpermissive rules
aws ec2 describe-security-groups \
--query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]]].GroupId' \
--output text
# Find SSH (port 22) open to internet
aws ec2 describe-security-groups \
--query 'SecurityGroups[?IpPermissions[?FromPort==`22` && IpRanges[?CidrIp==`0.0.0.0/0`]]].GroupId'
# Find RDP (port 3389) open to internet
aws ec2 describe-security-groups \
--query 'SecurityGroups[?IpPermissions[?FromPort==`3389` && IpRanges[?CidrIp==`0.0.0.0/0`]]].GroupId'
# Find databases (port 3306, 5432) open
aws ec2 describe-security-groups \
--query 'SecurityGroups[?IpPermissions[?(FromPort==`3306` || FromPort==`5432`) && IpRanges[?CidrIp==`0.0.0.0/0`]]].GroupId'Check Group Egress Rules
# Find groups with allow-all egress
aws ec2 describe-security-groups \
--query 'SecurityGroups[?IpPermissionsEgress[?IpProtocol==`-1` && IpRanges[?CidrIp==`0.0.0.0/0`]]].GroupId'
# Get full group details
aws ec2 describe-security-groups --group-ids <sg-id>RDS Database Misconfiguration
Scan RDS Instances
# List all RDS instances
aws rds describe-db-instances
# Check encryption status
aws rds describe-db-instances \
--query 'DBInstances[*].[DBInstanceIdentifier,StorageEncrypted]'
# Find unencrypted databases
aws rds describe-db-instances \
--query 'DBInstances[?StorageEncrypted==`false`].DBInstanceIdentifier'
# Find publicly accessible instances
aws rds describe-db-instances \
--query 'DBInstances[?PubliclyAccessible==`true`].DBInstanceIdentifier'
# Check backup retention
aws rds describe-db-instances \
--query 'DBInstances[*].[DBInstanceIdentifier,BackupRetentionPeriod]'Exploit Vulnerable RDS
# If RDS is publicly accessible
mysql -h <rds-endpoint> -u admin -p<password>
# Dump all databases
mysqldump -h <rds-endpoint> -u admin -p<password> --all-databases > dump.sql
# Connect using AWS credentials
aws rds create-db-instance-read-replica \
--db-instance-identifier <replica-name> \
--source-db-instance-identifier <source-instance>CloudTrail and Logging Detection
Check Logging Configuration
# List CloudTrail trails
aws cloudtrail describe-trails
# Check if logging is enabled
aws cloudtrail get-trail-status --name <trail-name>
# Check S3 bucket for logs
aws s3 ls s3://cloudtrail-logs-bucket/
# Find unlogged APIs
aws cloudtrail lookup-events --max-results 1 | jq '.Events[].EventName'Detect Disabled Logging
# Find trails that aren't logging
aws cloudtrail describe-trails --query 'trailList[?hasCustomEventSelectors==`false`].Name'
# Check for deleted/stopped trails
aws cloudtrail describe-trails | jq '.trailList[] | select(.IsMultiRegionTrail==false)'Lambda Function Analysis
Scan Lambda Functions
# List all Lambda functions
aws lambda list-functions
# Get function configuration
aws lambda get-function-configuration --function-name <function-name>
# Extract environment variables (may contain secrets)
aws lambda get-function-configuration --function-name <function-name> \
--query 'Environment.Variables'
# Check IAM role
aws lambda get-function-configuration --function-name <function-name> \
--query 'Role'
# List function policies
aws lambda get-policy --function-name <function-name>Find Over-Privileged Functions
# Get Lambda execution role
ROLE=$(aws lambda get-function-configuration --function-name <func> --query 'Role' --output text)
# Get role policies
aws iam list-attached-role-policies --role-name $(echo $ROLE | cut -d'/' -f2)
# Check for wildcard permissions
aws iam get-role-policy --role-name $(echo $ROLE | cut -d'/' -f2) --policy-name <policy>Network ACL and VPC Analysis
Check VPC Configuration
# List VPCs
aws ec2 describe-vpcs
# Check VPC flow logs
aws ec2 describe-flow-logs
# Find VPCs without flow logs
aws ec2 describe-vpcs --query 'Vpcs[*].VpcId' --output text | while read vpc; do
logs=$(aws ec2 describe-flow-logs --filter "Name=resource-id,Values=$vpc" --query 'FlowLogs[*].FlowLogId')
if [ "$(echo $logs | wc -w)" -eq 0 ]; then
echo "NO FLOW LOGS: $vpc"
fi
done
# Check network ACLs
aws ec2 describe-network-acls
# Find open network ACLs
aws ec2 describe-network-acls \
--query 'NetworkAcls[?Entries[?(RuleAction==`allow`) && (CidrBlock==`0.0.0.0/0`)]].NetworkAclId'Secrets and Access Key Detection
Find Exposed Secrets
# List IAM access keys
aws iam list-access-keys
# Check for old access keys
aws iam list-access-keys --query 'AccessKeyMetadata[*].[AccessKeyId,CreateDate]'
# List secrets in Secrets Manager
aws secretsmanager list-secrets
# Get specific secret value
aws secretsmanager get-secret-value --secret-id <secret-name>
# Check for unrotated secrets
aws secretsmanager list-secrets | jq '.SecretList[] | select(.LastRotatedDate==null)'Detect Exposed Credentials in CloudWatch
# Search CloudWatch logs for secrets
aws logs filter-log-events --log-group-name <log-group> \
--filter-pattern "password OR secret OR AKIA"
# List all log groups
aws logs describe-log-groups
# Search all logs
aws logs describe-log-groups --query 'logGroups[*].logGroupName' --output text | while read group; do
aws logs filter-log-events --log-group-name "$group" --filter-pattern "AKIA" | jq .
doneAutomated Scanning with GoatRider
Run Custom Scans
# Scan with specific checks
goatrider scan --checks s3-public-read,iam-wildcard,rds-unencrypted
# Scan and remediate (dry-run)
goatrider scan --remediate --dry-run
# Save scan results
goatrider scan --output-file scan-results.json --format json
# Compare scans
goatrider compare --baseline baseline.json --current current.jsonGenerate Reports
# Executive summary
goatrider scan --report-type executive
# Detailed findings
goatrider scan --report-type detailed
# Compliance report (CIS, PCI-DSS)
goatrider scan --report-type compliance --compliance-framework cis
# Risk assessment
goatrider scan --report-type risk-assessmentCommon Vulnerabilities Found
| Category | Issue | Detection | Severity |
|---|---|---|---|
| S3 | Public bucket | get-bucket-acl | Critical |
| S3 | No encryption | get-bucket-encryption | High |
| IAM | Wildcard action | get-role-policy | Critical |
| IAM | Wildcard resource | get-role-policy | Critical |
| EC2 | SSH open | describe-security-groups | High |
| RDS | Public access | describe-db-instances | Critical |
| RDS | No encryption | describe-db-instances | High |
| Lambda | Over-privileged role | get-function-configuration | High |
| VPC | No flow logs | describe-flow-logs | Medium |
| CloudTrail | Disabled | get-trail-status | High |
Remediation Examples
Fix Public S3 Bucket
# Block public access
aws s3api put-public-access-block \
--bucket <bucket-name> \
--public-access-block-configuration \
"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
# Enable encryption
aws s3api put-bucket-encryption \
--bucket <bucket-name> \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}]
}'Fix Overpermissive IAM
# Create limited policy
aws iam put-role-policy --role-name <role> --policy-name limited-s3 --policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": ["arn:aws:s3:::specific-bucket", "arn:aws:s3:::specific-bucket/*"]
}]
}'
# Remove overpermissive policy
aws iam delete-role-policy --role-name <role> --policy-name overpermissive-policyFix Open Security Group
# Remove rule allowing all traffic
aws ec2 revoke-security-group-ingress \
--group-id <sg-id> \
--ip-permissions IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges='[{CidrIp=0.0.0.0/0}]'
# Add restricted rule
aws ec2 authorize-security-group-ingress \
--group-id <sg-id> \
--ip-permissions IpProtocol=tcp,FromPort=22,ToPort=22,IpRanges='[{CidrIp=10.0.0.0/8,Description=Internal}]'Best Practices
- Scan regularly (daily or on every infrastructure change)
- Monitor GoatRider findings in your CI/CD pipeline
- Set up automated remediation for common issues
- Document all findings and remediation steps
- Review and validate all remediation changes
- Keep AWS SDK and GoatRider updated
- Implement least privilege principle
- Enable CloudTrail and VPC Flow Logs
- Encrypt all data at rest and in transit
- Rotate access keys regularly
- Use AWS Config for continuous monitoring
Resources
- GoatRider GitHub
- AWS Security Best Practices
- AWS Well-Architected Security Pillar
- AWS CLI Reference
- OWASP Cloud Security
- CIS AWS Foundations Benchmark
Last updated: 2026-03-30