enterprise security

SecurityTrails Blog · Dec 30 2020 · by Esteban Borges

Infrastructure as Code: Is It as Secure as It Seems?

Reading time: 8 minutes
Listen to this article

Alongside the rise of public clouds, managing the infrastructure of private clouds has never been easier. Tools like Terraform are available, but increasing dependence on them means it’s necessary to understand the security implications they present. After all, your entire infrastructure is dependent on, and accessible through, such a configuration—it’s essentially infrastructure as code, or “IAC”, passed through a tool like Terraform.

IAC has effectively become the go-to for most modern infrastructure, given the scale and complexities involved in managing everything manually.

For users already using IAC-based setups, we’ll look into how one can assess and manage the various security risks present in IAC-powered setups and examine the various tools available for reducing attack surface. For users looking into setting up or switching to IAC-based setups, we’ll look at the various advantages of IACs as well.

What is infrastructure as code (IAC)?

Infrastructure as code is, as its name suggests, a modern way of managing infrastructure in the form of formatted code or simply “defined templates’’ which are system readable. These allow for rapid scaling up and down of infrastructure. IAC applies to commonly used cloud infrastructure as well as any other infrastructure that goes along with it, for example, bare-metal systems.

IACs allow for easier management, understanding and monitoring of the infrastructure in place, as IACs combine everything into one infrastructure template.

IAC definitions or templates are fed into tools like Terraform, Ansible or SaltStack. These tools parse the templates written to manage the infrastructure as defined in the templates.

Benefits of IAC

IAC provides multiple benefits to DevOps teams, with advantages seen from development to deployment that include the following:

Automation

IAC allows DevOps teams to skip all of the manual work involved in the setting up or scaling upf of infrastructure in use. Automating setup of all the parts of the infrastructure in use can save hours—and in many cases, days—when considering the major deployments found in numerous large organizations.

Financial savings

Cost savings are possible when using IACs. With infrastructure as code, infrastructure deployments are known well in advance and tested over time, allowing for streamlining and cleaning up. With manual deployments, bits of infrastructure are often found to be in excess or even missing, leading to last-minute delays and unnecessary expense. IAC templates show that every single element of the infrastructure to be deployed is present and accounted for, allowing for better understanding.

Replication of infrastructure

Tried and tested IAC templates allow for replication of infrastructure from development and testing environments into production environments. This saves time, as templates can be re-used when setting up new production environments as applications are shipped to customers. With the entire infrastructure defined in code, it’s possible to amend or remove bits of infrastructure as needed, depending on customer requirement. This also allows for easier customer infrastructure documentation between support and DevOps teams as well.

Easier documentation and understanding

IAC allows for easier understanding of the infrastructure in place. Having all of the infrastructure defined in a file, or set of files, makes it possible to keep track of everything in use. This prevents teams from forgetting any part of their infrastructure when dealing with system updates, patches, and the like, better ensuring overall security.

Infrastructure as code security risks

With all the benefits that IAC carries, there are risks as well. As the whole of your infrastructure defined in a file or set of files, let’s examine the following considerations:

Infrastructure as code security risks

Credential management risks

The storing of passwords and other access information (such as SSH keys) is a major security point to keep in mind. The password or SSH key is the key to all of your infrastructure defined in the IAC—and storing these elements in a non-encrypted/parse-able format (such as a JSON file or similar) allows for possible security issues should the IAC template be leaked or copied from a “safe” environment.

Infrastructure communication risks

The communication method, or channel between the master and infrastructure, is another important aspect to keep in mind. Communication between servers is possible via SSH, which is secure, but some parts of your infrastructure may depend on in-secure methods such as Telnet (for legacy/older devices) or other methods like plain-text APIs. If detected, these can open up possible attack vectors to your infrastructure when being run via the IAC template definition.

Managing user privileges and user roles is another critical aspect of using IAC. As user roles and privileges can have a major effect on the infrastructure being deployed, restricting user roles and privileges is important and should apply to all users who are part of the IAC template managing the infrastructure. Without such security restrictions in place, a rogue user can take control of the whole infrastructure and cause widespread damage, as seen in our previous article about privilege escalation.

Storing of IAC templates is often overlooked, yet it’s the most important part of using them. Storing IAC templates on insecure machines can cause major security issues; if the host-machine or master is compromised, it can lead to theft of the IAC template. In the wrong hands, it can be parsed with the individual bits of infrastructure attacked individually, or the infrastructure can fall victim as a whole—as the complete infrastructure definition is present in the set of IAC templates.

How can you detect IAC risks?

Detecting risks in IAC is an imperative. When using IAC templates to manage and deploy your digital assets, constant monitoring and analysis has to be performed to ensure their safety, including the auditing of user roles and privileges, rotation of SSH keys, auditing the security of the system from which the IAC template is deployed, and more.

Now let’s look at six commonly used tools available for auditing and securing your IAC deployments:

TFLint

TFLint is a Terraform linter which is a free and open source tool.

TFLint is used with Terraform, which helps with checking of configurational errors and security practices used with your IAC. TFLint supports multiple public cloud providers via plugins as well, including Azure, AWS, and others, which in turn allows you to easily integrate TFLint with your existing Terraform IAC deployments on these public cloud platforms.

Terrafirma

Terrafirma is similar to TFLint, as a free and open-source tool. Terrafirma integrates with your existing deployments made with Terraform and is used for detecting security misconfigurations in your IAC templates.

Terrafirma’s advantage is that it provides output in the JSON format, which can further be parsed and audited by other tools for easier integration with your continuous integration and deployment tools.

SecurityTrails™ ASR

Attack Surface Reduction is an in-house tool from our company that helps reduce your attack surface area—the number-one source of IAC-related security incidents.

Scanning and auditing your attack surface is the most important task to consider when using IACs.

ASR helps you to prevent attacks before they happen, by letting you visualize your entire network infrastructure, receive custom alerts when new assets are added, check SSL certificates expirations, detect open database ports, unveil remote access points, and much more.

Terrascan

Terrascan is a compliance and security violation scanner for your IAC. It’s a free, open-source tool as well.

Terrascan helps check your IACs for security- and compliance-related issues before you deploy your IAC to a cloud platform. Terrascan includes 500+ policies which it checks your IAC against, and with popular public clouds like AWS, Azure and GCP supported, Terrascan proves to be a handy tool for scanning any IAC.

AirIAM

AirAIM is an AWS-specific tool that helps infrastructure managers migrate from an AWS-based IAM to a least-privileges Terraform-based IAC. AirIAM identifies unused users, roles, groups, and policies as well, which helps reduce unwanted privileges or roles being made available to users, decreasing the risk of security vulnerabilities in your infrastructure. AirIAM is open source and free to use.

AirIAM also integrates well with Checkov, which helps track unwanted IAC configuration changes and IAC configuration drifts.

Terraformer

Last but not least, and for our readers looking to switch to an IAC-based setup, is a tool that does exactly that: Terraformer.

Terraformer is open source and free to use, and helps convert existing infrastructure based in cloud providers like AWS, GCP, Azure and more. Terraformer generates Terraform-compatible IAC from your existing cloud deployments on these cloud platforms.

The generated IAC can then be combined with the above tools to secure and maintain your generated IAC.

Summary

While IACs have redefined how we manage and deploy our online infrastructure, simplifying the process with IACs often brings up other security challenges that warrant consideration. These challenges range from the basics of user privilege management to the complex (and often overlooked) system security of the machine holding the IAC template itself.

Securing IACs is made possible by ensuring end-to-end auditing and security, and by using one or a combination of the tools mentioned, including our in-house SecurityTrails ASR, an ideal tool for automating your infrastructure security monitoring and, most importantly, reducing your attack surface when using IACs to manage and deploy your digital assets.

Esteban Borges Blog Author
ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.