Twitter: @Chris_L_Ayers Mastodon: @Chrisayers@hachyderm.io LinkedIn: - chris-l-ayers Blog: https://chris-ayers.com/ GitHub: Codebytes
Infrastructure as code (IaC) is a way to manage and provision infrastructure resources using configuration files and automation tools.
The goal of IaC is to make it easier to deploy and manage infrastructure in a repeatable, reliable way, and to reduce the risk of errors caused by manual configuration.
There have been multiple breaches and attacks due to misconfiguration. Vulnerabilities can be a simple omitted property.
A05:2021 – Security Misconfiguration
Kubernetes OWASP Top Ten
Source: The State of Cloud Security 2021 Report
We can't just do security in production after everything is built, we need to go into solutions with security baked in.
Running security testing tools against infrastructure as code (IaC) is a way to ensure that the infrastructure being provisioned is secure and compliant with best practices.
SAST is a method of debugging that is performed by looking at the source code of an application without actually executing the application.
DAST, on the other hand, involves testing an application while it is running, in order to identify potential security vulnerabilities.
Each of these tools does similar things and are SAST (Static Analysis Security Tooling). With Terraform you can analyze in a few ways.
tfsec is a static analysis security scanner for your Terraform code supported by Aquasecurity.
Designed to run locally and in your CI pipelines, developer-friendly output and fully documented checks.
Terrascan has support for Terraform, Azure, GCP, AWS, Kubernetes (manifests, Helm, Kustomize), Docker and even GitHub. Supported by Tenable and now integrated into nessus.
Terrascan has a large number of built in policies as well as support for custom OPA/Rego Policies.
Checkov is another tool that lets us do scanning and compliance.
Checkov is by BridgeCrew and python based. Checkov, like terrascan, supports Terraform, Azure, GCP, AWS, Kubernetes (manifests, Helm, Kustomize) and Docker.
https://yor.io/
https://www.runatlantis.io/
Terraform PR Automation Handles planning, locking, and applying
Because these tools are independent and all scan the raw HCL or interpreted HCL, you can get different rules and potentially better compliance.
You can also hit a Signal to Noise problem.
Pre-commit Hooks run before code gets committed to a git repo. You do it yourself or use the Pre-Commit Framework.
No more passwords Auth is claims based on repo, environment, branch..
custom rules: tfsec --rego-policy-dir ./tfsec_rego_policies/ ./custom_checks_examples/keyvault/