# OWASP EKS Goat — AWS EKS Lab
> **Intro:** OWASP EKS Goat is one of the most valuable advanced labs for cloud-native teams because it teaches both **how compromise happens** and **how to harden and detect it** in AWS EKS.
>
> **What this page includes**
>
> * why EKS Goat deserves a separate place in this knowledge base;
> * what attack and defense scenarios it covers;
> * how to use it safely as a training environment;
> * how to turn it into a meaningful Product Security learning exercise.
## What it is
OWASP EKS Goat is a hands-on AWS EKS security lab built around real-world attack and defense techniques for managed Kubernetes clusters on AWS.
Its value is that it explicitly connects:
* application compromise;
* IAM and workload identity problems;
* ECR image trust failures;
* RBAC abuse;
* pod-to-node breakout;
* defensive controls like Kubescape, Kyverno, Tetragon, and GuardDuty.
## Why it is valuable
Many Kubernetes labs teach “generic cluster insecurity.” EKS Goat goes further by teaching how **AWS-native identity and registry trust** change the problem.
That makes it particularly useful if your real environment includes:
* EKS;
* ECR;
* IAM roles for workloads;
* managed cluster operations with AWS telemetry.
## Best fit
| Persona | Fit | Why |
| ---------------------------------- | ------------- | ----------------------------------------------------------- |
| Senior Kubernetes / cloud engineer | Very high | Strong AWS-native attack-and-defense coverage |
| Product Security engineer | High | Excellent for EKS review, runtime, and image-trust thinking |
| Detection / IR engineer | High | Defense scenarios map cleanly to real controls |
| Newcomer | Low to Medium | Better as a later-stage lab after Kubernetes Goat |
## Prerequisites and safety
This lab uses **real AWS EKS resources** and is not a cheap “run it anywhere” exercise.
Plan for:
* a dedicated AWS account per learner or team;
* billing enabled;
* clear teardown discipline;
* a browser and a stable workstation;
* written guardrails about what is in scope.
Do not run it in a shared production account.
## What it teaches especially well
### Attack-side learning
* misconfigured IAM roles and IRSA-like authority problems;
* ECR credential and image trust abuse;
* metadata abuse and credential theft chains;
* web-app-to-cluster compromise;
* RBAC escalation and pod-to-node breakout;
* data exfiltration paths from AWS services.
### Defense-side learning
* cluster auditing with Kubescape and kube-bench;
* Dockerfile and image linting with Hadolint and similar tools;
* Pod Security Context and policy enforcement with Kyverno;
* runtime behavior detection using Tetragon;
* GuardDuty monitoring for EKS-related events.
## How to use it for learning instead of spectacle
A good EKS Goat session should produce:
* one attack-path summary;
* one IAM and workload-identity review note;
* one image-trust review note;
* one runtime-detection idea;
* one hardening change list.
If the learner finishes the lab without those artifacts, the session was probably too attack-centric.
## Suggested learning sequence
### Stage 1 — environment and trust mapping
* identify cluster entry points;
* identify registry trust and image flow;
* identify which workload identities matter;
* identify where AWS permissions enter the chain.
### Stage 2 — scenario work
Focus on one or two scenarios, not all of them at once. Particularly high-value topics are:
* IMDS abuse leading to credential theft;
* ECR image backdooring;
* workload-to-node breakout;
* IAM abuse leading to data exfiltration.
### Stage 3 — defender response
After the attack-side review, document:
* what GuardDuty could and could not help with;
* what Tetragon or similar runtime tools could show;
* what policy-as-code could prevent earlier;
* what image and registry guardrails should have existed.
## Best pairings in this KB
* [Kubernetes Security Baseline](/cloud-kubernetes-and-infrastructure-security/index-1/kubernetes-security-baseline.md)
* [Trusted Images, Harbor, and Signing](/cloud-kubernetes-and-infrastructure-security/index-1/trusted-images-harbor-and-signing.md)
* [AWS Provider-Specific Cloud Attack Chains](/attack-paths-testing-detection-and-hardening/index-1/aws-cloud-attack-chains.md)
* [Runtime Investigation Playbook for Kubernetes and Containers](/cloud-kubernetes-and-infrastructure-security/index-1/runtime-investigation-playbook.md)
* [High-Signal Detection Patterns and SIEM Examples](/attack-paths-testing-detection-and-hardening/index/high-signal-detection-patterns-and-siem-examples.md)
## Common mistakes
* treating it like a generic Kubernetes lab and ignoring AWS identities;
* trying to do all attack and defense topics in one session;
* not planning teardown before deployment;
* not capturing lessons about image trust and workload identity.
## References
* Official OWASP project page:
* Official repository:
* Walkthrough:
\---*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.*
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.product-security.expert/learning-labs-interview-and-templates/index-2/owasp-eks-goat-aws-eks-lab.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.