Infrastructure as Code Security

I was excited to have the opportunity to speak recently at Kernelcon and BSidesNYC about one of my favorite topics, infrastructure as code (IAC).

Having helped multiple companies build IAC security programs, talking about what we've learned is always enjoyable. Companies moving to centralized and well-managed infrastructure as code pipelines with built-in security controls is a massive security win. However, utilizing these tools comes with certain risks that we must manage.

As I outlined in my talk, one of the major risks is that these tools are often given overprivileged roles and rights. Utilizing built-in IAM controls from the cloud providers is the first line of defense for securely utilizing these tools. Limiting access to the resources, regions, and configurations in the roles we give pipelines is very important. We should restrict these as much as possible, knowing that pipelines must have certain rights in order to build infrastructure. Also crucial in this regard is ensuring we're monitoring for changes to these roles and policies related to our pipelines.

Additionally, I discussed having proper patterns and guardrails defined for your services. Prior to adopting a new service in Terraform or other IAC platforms, we need to ensure the architecture pattern and guardrails are well defined. This leads directly to our next goal of building security tooling into our IAC pipelines. Architecture patterns and guardrails should be a team effort to define and document them between security, architecture, and app teams. The best patterns have also been threat modeled, and those findings integrated into the guardrails.

Lastly, we must take these patterns and implement security controls in our pipelines that prevent insecure misconfigurations from being deployed. I give examples of Semgrep, Hashicorp Sentinel, or OPA Rego. Each tool has its benefits and issues. I recommend combining multiple tools, each serving a different purpose. This is a challenging feat; it takes a dedicated security engineering team to build these controls. In most projects we've worked on, it's required hundreds of rules to secure dozens of services in each cloud provider. Once the controls are in place, they can be applied against your company's hundreds or thousands of infrastructure deployments a year.

This will prevent a massive amount of rework by app teams, compliance tracking and tracing for security teams, and even some expensive tools for dealing with the issues. These strategies and tactics can have a huge influence on bringing your cloud risks and issues close to zero.