This article was originally posted on Hackmamba.
Before Infrastructure as Code (IaC) managing IT infrastructure was a daunting task. System administrators, operation teams, and developers had to manually configure and manage all hardware and software required for applications to run.
With IaC, developers can quickly provision servers with specific operating systems, run containers, Kubernetes clusters, and even integrate third-party services using machine-readable templates.
Through IaC, organizations can build scalable and resilient software faster, reducing cost and addressing inconsistencies between the development and production environment. But with all these benefits, as with every software process, security risks exist.
This article discusses the top 3 security risks facing Infrastructure as Code and measures DevOps teams can take to avoid attacks. The top 3 security risks are:
- Misconfigurations in IaC templates
- Infrastructure drift
- Ghost resources
Misconfigurations in IaC Templates
Misconfigurations in an IaC template (such as YAML files, Terraform, or Helm Charts) can easily expose an organization’s environment leaving them vulnerable to attacks.
According to this report by Palo Alto Networks, nearly 200,000 insecure IaC templates are in use in production environments, and most of these vulnerabilities are due to misconfigurations. On top of that, more than 43% of cloud databases are currently unencrypted and only 60% of cloud storage services have logging enabled.
Now one might ask, how do these misconfigurations happen, and why are they at this scale? They are at this scale because as more people write open source boilerplate templates and blog posts, most forget to review to ensure they conform to IaC security best practices.
The image below from this talk on Infrastructure-as-code Security shows data of misconfigured open source Terraform modules.
And those misconfigured modules were downloaded 10 million times, as seen in the image below.
Although services provisioned with those misconfigurations aren’t necessarily exploitable, they still pose a huge risk.
How to Prevent IaC Template Misconfigurations
To prevent IaC template misconfigurations, DevOps teams must scan for these templates during pre-production. Scanning for misconfigurations in IaC pre-production templates means introducing checks and remediation during the development phase and represents a fundamental step for a secure DevOps workflow.
To integrate this step into their DevOps workflow, organizations can use tools like Bridgecrew to track every change in their IaC, scan those changes, and automatically fix misconfigurations before they move to the production environment.
Infrastructure Drift
In IaC, the concept of drift represents the difference between the originally defined values in a configuration to what’s running in production. A drift can be introduced by external actors (humans or scripts) or the IaC dependency on external data sources.
Drifts by External Actors
If an on-call SRE (site reliability engineer) logs on to the Cloud environment and manually creates or modifies resources otherwise controlled by Terraform, they introduce a drift. Also, suppose an external script updates a Kubernetes cluster in a way that conflicts with its CloudFormation definition; in that case, that is a drift as well.
Drifts by External Data Sources
If there's any change to the external data source it will show up as a drift too. For example, if a load balancer only expects to receive traffic from Amazon CloudFront, the DevOps team may want to restrict ingress to a predefined range of IP addresses. However, that range may be dynamic and their IaC tool queries it every time it runs.
When any of the above drift occurs, if unmanaged, it can lead to:
- Data breaches
- Application downtime
- Possible Deployment failures
How to Mitigate Infrastructure Drift
In the above scenarios, the drift caused by external actors is an unwanted by-product of emergencies or broken processes. The drift caused by external data sources is both desired and inevitable. That said, it is clear that drift occurs and teams can’t entirely prevent it.
But what can teams do? Well, what DevOps teams can do is to detect and reconcile drifts as they happen. See how the following tools can help teams detect and reconcile drifts:
Ghost Resources
Tagging cloud assets during development is critical to ensure compliance and governance in IaC. Failing to tag assets during IaC operations can result in “ghost” resources. These untagged assets are hard to detect and difficult for developers to observe as the observability of these assets may not be equivalent to the rest of the system.
Ghost assets can go undetected for long periods while consuming resources and creating potential attack vectors for an organization's infrastructure as code. In addition to the implications on security, ghost resources make it very challenging to assess the effect on operations like cost, maintenance, and reliability.
How to Prevent Ghost Resources
The only way to mitigate ghost resources is by careful tagging and monitoring for untagged resources.
Conclusion
This article explained the top 3 security risks facing Infrastructure as Code and measures DevOps teams can take to avoid attacks.
To learn more about other security risks facing IaC, check out the following resources: