Infrastructure as Code (IaC) is a rapidly growing technique of provisioning infrastructure with software, utilizing software development principles and practices. This allows for faster software delivery more efficiently compared to traditional IT infrastructure. As the infrastructure is defined in code, the entire process can be automated, allowing for easy self-service and high levels of consistency and repeatability; automation also unlocks the capability of elastic provisioning which allocates resources efficiently under varying load. The infrastructure as code may be checked into a version control system, allowing for changes made to be rolled back if necessary.
Despite the many benefits of infrastructure as code, improperly configured infrastructure as code can also quickly propagate misconfigurations throughout a system. IaC’s automated provisioning boosts efficiency, but also amplifies mistakes which often adversely affect security. Adhering to IaC best practices is an effective way to reduce the risk of successful supply chain cyber attacks and breaches, but which best practices should you adopt?
While every organization has unique needs, any organization looking to secure Kubernetes, Terraform, CloudFormation, or Ansible should consider these 8 best practices for securing infrastructure as code:
1) Scan IaC Code for Misconfigurations
Infrastructure as code is a powerful tool, but a risk of utilizing it includes propagating small configuration mistakes across the cloud infrastructure. Misconfigurations may take several different forms, such as insecure default configurations–including nearly half of CloudFormation templates. Other forms of misconfiguration include publicly accessible S3 buckets, or unencrypted databases. These issues can lead to breaches just as easily (and in some cases more easily) than exploiting a zero-day in custom code or a CVE in an open source library.
While SAST and SCA scanning are de facto best practices for feature code, few organizations prioritize securing their IaC equally. Running security scans against IaC code is a powerful hedge against the inadvertent misconfigurations leading to exposure and breaches. Furthermore, by scanning new commits for changes to the cloud deployment, infrastructure that no longer matches its original template can be detected and corrected.
2) Automate IaC Security Scanning into Developer Workflows
While ad hoc security scanning is good, finding and fixing vulnerabilities before they reach production increases security far more effectively than remedial means. By integrating checks for IaC misconfigurations into the developer workflow, developers are able to find and correct issues before they are exploited. This can take the form of a pre-commit hook to test code when the developer saves their work, or this could be a branch protection rule that is automated with pull requests or as a security build rule that is run in CI like unit testing. Running security scans in developers’ workflows also has the benefit of ensuring that the right developer gets the right information at the right time. This improves remediation efficiency because developers can fix misconfigurations while the code is still fresh in their minds.
3) Identify and Correct Environmental Drift
Detecting and fixing misconfigurations helps eliminate “environmental drift”, a scenario in which the configurations for different deployment environments fall out of sync with their templates. Drifts in configurations typically happen during maintenance and can cause environments, such as test and production, to fall out of harmony. This leads to configurations drifting away from known secure states over time.
Environmental drift often occurs without malicious intent. Drift can be introduced by careless errors such as changing the configurations in one environment and not the other, which is sometimes difficult to fix and expensive in terms of business downtime. Naturally, drift is identified by comparing IaC to actual production configurations, but accomplishing this by hand is tedious and time-consuming. Hence, drift detection is another way in which IaC security scanning tools add value.
4) Prevent Hard Coded Secrets from Permeating IaC
Hard coded secrets can be introduced in either feature code or IaC code; secrets making their way into IaC code have the potential to be devastating for an organization’s security. The presence of hardcoded secrets also makes a breach of the associated account due to password guessing nearly inevitable because exposure of code through a leak will then become an event that hands passwords to attackers. If hard coded secrets are left in the program, this may lead to a failure of authentication measures–anyone with access to a project may view these hard coded secrets. Much like scanning for IaC security misconfigurations, an initial assessment should look for hard coded secrets in IaC code in the main branch and version history. However, the best approach is to prevent these hard coded secrets from ever making it into the version control system by scanning commits before they are merged into the main branch.
5) Reduce the Time and Impacts of Code Leaks
Code leaks occur when source code is publicly published. This can result in intellectual property theft, the exposure of hard coded secrets, and pre-emptying product or feature announcements. Source code and IaC code often reside in the same repositories, and the dangers of exposing IaC code includes the risk of attackers parsing your code to find vulnerabilities, misconfiguration, and/or secrets.
Establish protocols to avoid code leaks, but also formulate a contingency plan in case leaks do occur. Potentially suspicious user activity such as downloading, cloning or forking repositories with IaC should be investigated. Enforcing least privilege policies helps reduce code leakage exposure. Also, perform regular checks to prevent source code from remaining published to public repositories or code sharing sites, and ensure that any source code leaks are dealt with swiftly. The longer proprietary IaC code is exposed publicly the more likely an malicious actor is to find it. Hence, alerting mechanisms should be set in place to reduce the time of a code leak’s occurrence as much as possible.
6) Establish Consistent Governance of Tools
An often overlooked aspect of an effective IaC security posture is the security settings and policies of the DevOps tools and infrastructure themselves. Hardening authentication, ensuring principles of least privileges, and enforcing separation of duties all go far in establishing protocols benefiting security. This helps ensure contributors pushing commits are who they say they are. Developer credentials are the crown jewel for attackers and other nefarious actors, but putting governance safeguards in place helps prevent a singular compromised account from compromising other parts of the system or accessing IaC tools. This forces attackers to be more specific in the accounts they target and may even force a different approach for a successful cyberattack.
7) Prevent IaC Code Tampering
If a developer’s account is compromised an attacker can tamper with IaC code with potentially devastating consequences such as making databases publicly accessible. Hence, it is not only important to harden developers’ accounts but also to know when infrastructure as code configurations have been changed, and to verify that the changes are sanctioned and intentional. Regular comparisons between different phases of the SDLC help mitigate code tampering risk by identifying points where code in source control doesn’t match source code in the build system. Ensuring code integrity reduces the risk of successful code tampering by comparing different phases of the build lifecycle. As previously mentioned, IaC amplifies misconfigurations so checking that changes are being performed by a benevolent entity is mission critical. Unauthorized changes can cause IaC template changes or configuration tampering that may result in a code leak.
Critical code monitoring is another layer of IaC tampering risk reduction. It is the practice of monitoring snippets of mission critical code to ensure this code only changes when it is intended to. Essentially, critical code monitoring is an alert on every change that occurs. For feature code, critical code monitoring must be used lightly. However, IaC code is a template for the infrastructure initialized and deployed for the application, which makes it a good candidate for critical code monitoring. Infrastructure typically doesn’t change, but when it does it should be done with high visibility to ensure awareness of the change. This gives responsible parties the opportunity to make sure changes are intentional and not malicious.
8) Avoid Complexity
Complexity is the sworn enemy of effective security; the key to effective security is manageability. Obtaining a comprehensive view of the security landscape is invaluable in that it decreases the response time and developer churn required to fix security issues that may arise. By addressing all the items together, it becomes significantly more difficult for attacks to compromise the right developer, have access to the right code, find secrets in that code, for code leaks to lead to breaches, and for code to be tampered with. Moreover, remediation can be prioritized more effectively with the context from multiple events and tools. This approach results in a defense in depth that reduces the risk both of a breach occurring and the impact incurred to the organization in the case of a breach.
How Cycode Can Help with IaC Security
Cycode provides complete visibility with a comprehensive solution to securing infrastructure as code that helps prevent escaped secrets, code leaks, environmental drift, and other common issues, all in a single, integrated platform. Once integrated into developer workflow, each commit is scanned for issues including hard coded secrets or potential misconfiguration and alerts are issued appropriately. Remediation is available both through a GUI and within the PR.
Cycode helps establish strong governance over all points of the IaC lifecycle by providing a cross-SCM inventory of all users, contributors, teams, organizations, and repositories in your organization; this governance extends into providing more oversight into changes made to code as a means of further protecting key code. Cycode also helps you automatically audit access privileges to identify and reduce excessive, unused privileges, and implement separation of duties. Furthermore, Cycode helps ensure that strong authentication and secure development practices are in place. This helps apply security best practices for IaC code when using Terraform, Kubernetes, and CloudFormation.
Want to learn more?
A great place to start is with a free assessment of the security of your DevOps pipeline.