8 Infrastructure as Code (IaC) Best Practices for Security

user profile
Developer Advocate

Infrastructure as Code (IaC) is a rapidly growing technique of provisioning infrastructure with software, utilizing software development principles and practices. This allows for faster software delivery more efficiently compared to traditional IT infrastructure.

When infrastructure is defined in code, the entire process can be automated. This allows for easy self-service, high levels of consistency and repeatability. Automation also unlocks the capability of elastic provisioning which allocates resources efficiently under varying loads. Checking infrastructure code into a version control system allows for changes to be rolled back if necessary.  

Despite the many infrastructure as code benefits, improperly configured can also quickly propagate misconfigurations throughout a system. IaC’s automated provisioning boosts efficiency but also amplifies mistakes which often adversely affect security. Adhering to IaC security best practices, such as those defined by NIST, is an effective way to reduce the security risks of successful supply chain cyber attacks and breaches, but which infrastructure as code (IaC) security best practices should you adopt? 

Any organization looking to secure Kubernetes, Terraform, CloudFormation, or Ansible should consider these best practices.

8 Infrastructure as Code Best Practices

1) Scan for Misconfigurations

IaC is a powerful tool, but a risk of utilizing it includes propagating small configuration mistakes across the cloud infrastructure. Misconfigurations may take several different forms, such as insecure default configurations–including nearly half of CloudFormation templates. Other forms of misconfiguration include publicly accessible S3 buckets or unencrypted databases. These issues can lead to breaches as easily as a zero-day in custom code or a CVE in an open-source library. 

While static application security testing (SAST) and software composition analysis (SCA) scanning are de facto best practices for feature code, few organizations prioritize securing their IaC equally. Running security scans against code as infrastructure is a powerful hedge against the inadvertent misconfigurations leading to exposure and breaches.  Furthermore, by scanning new commits for changes to the cloud deployment, infrastructure that no longer matches its original template can be detected and corrected for improved cloud security.

2) Automate Security Scanning into Developer Workflows 

Finding and fixing security vulnerabilities before they reach production increases security far more effectively than remedial means. By integrating checks for IaC misconfigurations into the developer workflow, developers are able to find and correct issues before they are exploited. This can take the form of a pre-commit hook to test code when the developer saves their work. It could be a branch protection rule that is automated with pull requests. It could also be a security build rule that is run in CI like unit testing. Running security scans in developers’ workflows also has the benefit of ensuring that the right developer gets the right information at the right time. This improves remediation efficiency because developers can fix misconfigurations while the code is still fresh in their minds.

3) Identify and Correct Environmental Drift

Detecting drift, a scenario in which the configurations for different deployment environments fall out of sync with their templates, and fixing misconfigurations is a best practice for infrastructure of code. Drifts in configurations typically happen during maintenance and can cause environments, such as test and production, to fall out of harmony. This leads to configurations drifting away from known secure states over time.

Environmental drift often occurs without malicious intent. Drift can be introduced by careless errors such as changing the configurations in one environment and not the other. This is sometimes difficult to fix and expensive in terms of business downtime. Naturally, drift is identified by comparing IaC to actual production configurations, but accomplishing this by hand is tedious and time-consuming. Hence, drift detection is another way in which IaC security and compliance scanning tools add value.

4) Prevent Hard Coded Secrets from Permeating IaC

One of the most widely agreed-upon best practices for infrastructure as code is to avoid deploying code containing credentials. Hard coded secrets can be introduced in either feature code or IaC code. Secrets making their way into IaC have the potential to be devastating for an organization’s security. The presence of hardcoded secrets also makes a breach of the associated account due to password guessing nearly inevitable because exposure of code through a leak will then become an event that hands passwords to attackers. If hard coded secrets are left in the program, this may lead to a failure of authentication measures. Anyone with access to a project may view these hard coded secrets. 

Like scanning for security misconfigurations, an initial assessment should scan for secrets in the main branch and version history. The best approach is to prevent these hard coded secrets from ever making it into the version control system. This is done by scanning commits before they are merged into the main branch.

5) Reduce the Time and Impacts of Code Leaks

Code leaks occur when source code is publicly published. This can result in intellectual property theft, the exposure of hard coded secrets, and pre-emptying product or feature announcements. Source and IaC code often reside in the same repositories, and the dangers of exposing code includes the risk of attackers parsing your code to find security vulnerabilities, misconfiguration, and/or secrets.

Establish protocols to avoid code leaks, but also formulate a contingency plan in case leaks do occur. Potentially suspicious user activity such as downloading, cloning or forking repositories with IaC should be investigated. Enforcing least privilege policies helps reduce code leakage exposure. Also, perform regular checks to prevent source code from remaining published to public repositories or code sharing sites, and ensure that any source code leaks are dealt with swiftly. The longer proprietary IaC code is exposed publicly the more likely an malicious actor is to find it. Alerting mechanisms should be set in place to reduce the time of a code leak’s occurrence.

6) Establish Consistent Governance of Tools

An often overlooked aspect of an effective cloud security posture is the settings and policies of the DevOps tools and infrastructure themselves. Hardening authentication, ensuring principles of least privileges, and enforcing separation of duties all go far in establishing protocols benefiting security. This helps ensure contributors pushing commits are who they say they are. Developer credentials are the crown jewel for attackers and other nefarious actors, but putting governance safeguards in place helps prevent a singular compromised account from compromising other parts of the system or accessing IaC tools. This forces attackers to be more specific in the accounts they target. It may even force a different approach for a successful cyberattack.

Implementing consistent enforcement of policy is a best practice for infrastructure as code. Google’s SLSA framework contains specific guidance on ensuring the integrity of source code–this guidance is aimed to reduce the chances of code tampering and prevent nefarious activity from going unnoticed. These security requirements are aimed to make changes to IaC trackable and well-reviewed. Establishing consistent governance necessitates that every system in the software supply chain be secure, with no user having access to change the system without additional oversight.

7) Prevent Code Tampering

If a developer’s account is compromised an attacker can tamper with IaC with potentially devastating consequences such as making databases publicly accessible. Hence, it is not only important to harden developers’ accounts but also to know when infrastructure as code configurations have been changed, and to verify that the changes are sanctioned and intentional. Regular comparisons between different phases of the SDLC help mitigate code tampering risk by identifying points where code in source control doesn’t match source code in the build system. Ensuring code integrity reduces the risk of successful code tampering by comparing different phases of the build lifecycle. As previously mentioned, IaC amplifies misconfigurations so checking that changes are being performed by a benevolent entity is mission-critical. Unauthorized changes can cause template changes or configuration tampering that may result in a code leak. 

Critical code monitoring is another layer of tampering risk reduction. It is the practice of monitoring snippets of mission-critical code to ensure this code only changes when it is intended to. Essentially, critical code monitoring is an alert on every change that occurs. For feature code, critical code monitoring must be used lightly. However, IaC code is a template for the infrastructure initialized and deployed for the application. This makes it a good candidate for critical code monitoring. Infrastructure typically doesn’t change. When it does, it should be done with high visibility to ensure awareness of the change. This gives responsible parties the opportunity to make sure changes are intentional and not malicious.

8) Avoid Complexity

Complexity is the sworn enemy of effective security. The key to effective security is manageability. Obtaining a comprehensive view of the security landscape is invaluable. It decreases the response time and developer churn required to fix security issues that may arise. By addressing all the items together, it becomes significantly more difficult for attacks to compromise the right developer, have access to the right code, find secrets in that code, for code leaks to lead to breaches, and for code to be tampered with. Moreover, remediation can be prioritized more effectively with the context from multiple events and tools. This approach results in a defense in depth that reduces the risk both of a breach occurring and the impact incurred to the organization in the case of a breach.

How Cycode Can Help

Cycode provides complete visibility with a comprehensive solution to securing infrastructure as code that helps prevent escaped secrets, code leaks, environmental drift, and other common issues, all in a single, integrated platform. Once integrated into the developer workflow, each commit is scanned for issues including hard-coded secrets or potential misconfiguration, and alerts are issued appropriately. Remediation is available both through a GUI and within the PR.

Cycode helps establish strong governance over each point of the IaC lifecycle by providing a cross-SCM inventory of all users, contributors, teams, organizations, and repositories in your organization. This governance extends into providing more oversight into changes made to code as a means of further protecting key code. Cycode also helps you automatically audit access privileges to identify and reduce excessive, unused privileges, and implement separation of duties. Furthermore, Cycode helps ensure that strong authentication and secure development lifecycle practices are in place. This helps apply security best practices to infrastructure as code tools such as Terraform, Kubernetes, and CloudFormation.

Want to learn more?

A great place to start is with a free assessment of the security of your DevOps pipeline.

Originally published: October 7, 2021