How to Harden IaC Security with KICS

yayabobi - Aug 2 - - Dev Community

Imagine your entire infrastructure breaks down because of a tiny mistake in a configuration. That's the kind of risk businesses face with Infrastructure as Code. IaC makes it easy to set up and manage cloud resources but also brings significant security risks, mostly from misconfigurations. 

98% of companies work with at least one vendor that suffered a data breach in the last two years. Even more worrying, in just the first three quarters of 2023, one in four people in the US had their health data leaked because of these breaches.

Using tools like KICS (Keeping Infrastructure as Code Secure) to check for security gaps isn't just a good idea to protect your infrastructure - it's crucial. 

What is KICS?

a black and blue logo with a donkey on it

KICS is an open-source tool that checks your code for security issues and compliance before you deploy it. This early check is essential for anyone who uses infrastructure as code and wants to ensure it is secure, such as DevOps teams, cloud engineers, or security experts. 

KICS stands out due to its compatibility with various platforms, such as Terraform, Kubernetes, Docker, Pulumi, Helm, Ansible, and CloudFormation. Unlike tools like Checkov, which is primarily designed for Terraform and Kubernetes and might need fine-tuning for better performance, or Terraform Compliance, which is developed explicitly for Terraform, KICS is immediately operational across various platforms without the need for an additional setup.

The level of automation, speed, and accuracy that KICS offers are crucial to meeting strict regulatory standards and requirements. For example, NIST SP 800-53 regulations require organizations to implement over 300 security controls covering management policies, daily operations, and, most importantly, technical infrastructure.

Getting Started with KICS

Setting up KICS for scanning your IaC is straightforward, especially when using Docker for installation. Here's how to get started:

1. Install Docker

First, make sure Docker is installed in your system. 

2. Pull the KICS Docker Image

docker pull checkmarx/kics:latest

a screenshot of a black screen with a red text box

3. Run KICS Scan

Use this command to scan your IaC files and adjust the directory path to where your files are stored:

docker run -t -v {path to host folder}:/path checkmarx/kics:latest scan -p /path -o /path/reports --report-formats html --output-name report
Enter fullscreen mode Exit fullscreen mode

a black background with a green font and numbers

4. View the Results

Check the results in the /path/reports folder to see any security issues in your IaC setups.

a black background with a green font and numbers

Following these steps, you can quickly use KICS to ensure your cloud infrastructure is secure and compliant before deployment.

Top security concerns for Infrastructure as Code (IaC)

Imagine you're configuring an S3 bucket to store your infrastructure's state file and later realize it's completely open with no security measures. Common IaC gaps like insecure defaults are enough to allow unauthorized access and leave the door open for costly data breaches. 

Loose access controls can give unauthorized users too many permissions, allowing them to access sensitive data or install malicious code to manipulate resources. Misconfigurations can leave your S3 bucket unprotected and open to the world, leading to data leaks, service disruptions, or crypto-jacking. Any of these issues are enough to get you in trouble with data protection regulations and jeopardize your business operations and reputation.

Hardcoded secrets like API keys are other common concerns to keep in mind with IaC. Regular testing, continuous monitoring, and proactive security measures are necessary to protect your infrastructure against evolving threats.

How to Use KICS to Harden Your IaC Security

Integrate KICS with Your CI/CD Pipelines

Add KICS to your CI/CD pipelines to scan your code automatically with every update. Here's an example of using GitHub Actions to run KICS on every push or pull request to the main branch:

name: KICS Security Check

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  security_checks:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Set up Docker
        uses: docker/setup-buildx-action@v1

      - name: Run KICS
        run: |
          docker run -t -v ${{ github.workspace }}:/path checkmarx/kics:latest scan -p /path -o /path/reports --output-name report
        continue-on-error: true

Enter fullscreen mode Exit fullscreen mode

a screenshot of a computer screen with a black background

Integrating KICS into your CI/CD pipeline ensures your infrastructure is continuously checked for vulnerabilities, reducing the risk of deploying insecure configurations.

Customize Security Policies

Create custom security policies that match your specific needs. For example, you can set rules to ensure all S3 buckets are encrypted or that Kubernetes pods don't run as root. Custom policies help enforce security standards consistently across your infrastructure, minimizing risks associated with misconfigurations and unauthorized access. Regularly update and review these policies to adapt to new security threats and compliance requirements.

Implement Policy as Code

Implementing policy as code involves writing and enforcing security policies directly within your infrastructure code. With KICS, you can define policies that automatically check for cloud compliance essentials. For example, you can create rules to ensure all resources are tagged correctly or that no public access is granted to sensitive data. Additionally, you can set policies to enforce that all Amazon S3 buckets must have server-side encryption enabled and block public access. By codifying these policies, you ensure they are applied consistently and can be versioned and audited like any other part of your infrastructure code. 

a diagram of a privacy code

Perform Regular Threat Modeling

As the name suggests, threat modeling involves analyzing your system's architecture to identify threats and vulnerabilities. This process should be adopted as one of your first security steps, as it will give you a deeper understanding of potential risks within your system. You can then create a dynamic risk assessment and allocate resources effectively or choose the most appropriate security controls to mitigate vulnerabilities.

KICS can scan your IaC templates, scripts, and configurations as part of your threat modeling process. These scans give you an overview of vulnerabilities across your underlying infrastructure, including web servers, databases, and other IaC components. 

You can also use threat modeling tools like OWASP Threat Dragon or ThreatModeler to simulate attacks. Consider performing these simulations quarterly or bi-annually, and regularly update your threat models to match changes in your environment and new threat information.

Automate KICS scans 

Automated security scans are the bread and butter of any IaC security strategy nowadays, as they enable you to effectively implement a continuous security approach and stay proactive in detecting and fixing issues.

Using Jit's DevSecOps platform, you can automate KICS scans for every pull request, ensuring continuous security checks without manual intervention. Whenever a pull request is created or merged, the platform triggers KICS to scan the infrastructure code for misconfigurations and vulnerabilities. 

Its centralized hub provides a complete view of your IaC security, displaying in-context KICS findings and live updates. You can easily see which issues need attention, track their resolution status, and access automated remediation workflows, where Jit generates a pull request to address and fix identified issues. 

a screenshot of a web page with a number of different languages

Bringing it All Together for Secure IaC

It's easy to think that data breaches only happen to a few unlucky ones, but they are far more common and dangerous than we want to believe. Regarding IaC security, the more robust your security plan, the better you can sleep at night knowing your systems are protected. But robust IaC security doesn't mean never-ending workloads and complex processes. 

Leveraging tools like KICS and all its functionalities can help you protect your IaC components. Jit makes this even more seamless by automating KICS scans for every pull request and giving you a central place to manage all your tools and controls for IaC and beyond. The platform offers clear insights on security issues and enables you to quickly "Create a fix PR" to address problems. Explore more here.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .