I was excited to have the opportunity to speak recently at Kernelcon and BSidesNYC about one of my favorite topics, infrastructure as code (IAC).
Having helped multiple companies build IAC security programs, talking about what we've learned is always enjoyable. Companies moving to centralized and well-managed infrastructure as code pipelines with built-in security controls is a massive security win. However, utilizing these tools comes with certain risks that we must manage.
As I outlined in my talk, one of the major risks is that these tools are often given overprivileged roles and rights. Utilizing built-in IAM controls from the cloud providers is the first line of defense for securely utilizing these tools. Limiting access to the resources, regions, and configurations in the roles we give pipelines is very important. We should restrict these as much as possible, knowing that pipelines must have certain rights in order to build infrastructure. Also crucial in this regard is ensuring we're monitoring for changes to these roles and policies related to our pipelines.
Additionally, I discussed having proper patterns and guardrails defined for your services. Prior to adopting a new service in Terraform or other IAC platforms, we need to ensure the architecture pattern and guardrails are well defined. This leads directly to our next goal of building security tooling into our IAC pipelines. Architecture patterns and guardrails should be a team effort to define and document them between security, architecture, and app teams. The best patterns have also been threat modeled, and those findings integrated into the guardrails.
Lastly, we must take these patterns and implement security controls in our pipelines that prevent insecure misconfigurations from being deployed. I give examples of Semgrep, Hashicorp Sentinel, or OPA Rego. Each tool has its benefits and issues. I recommend combining multiple tools, each serving a different purpose. This is a challenging feat; it takes a dedicated security engineering team to build these controls. In most projects we've worked on, it's required hundreds of rules to secure dozens of services in each cloud provider. Once the controls are in place, they can be applied against your company's hundreds or thousands of infrastructure deployments a year.
This will prevent a massive amount of rework by app teams, compliance tracking and tracing for security teams, and even some expensive tools for dealing with the issues. These strategies and tactics can have a huge influence on bringing your cloud risks and issues close to zero.
Read next
The Security Benefits of Infrastructure as Code
We have developed and delivered new ways to deliver infrastructure quickly and without these misconfigurations. Prevention is the only cure; we’ll talk about how you can implement this today.
Gen AI Security: An Introduction and Resource Guide
Like many industries, Artificial Intelligence has taken the security industry by storm. Security practitioners now are faced with the challenge of understanding new classifications of threats and new techniques of attack. Threat Actors are utilizing AI to improve their attacks, while also exploiting AI services. AI and Generative AI utilize
RDS Revealed? Time to Give It Some Shade!
By: John Poulin
At Cloud Security Partners, we have audited thousands of customer AWS accounts as part of our security reviews. Across our customers, roughly 5% of the AWS Relational Database Service (RDS) instances we analyze are publicly accessible. A general rule of thumb across the security industry is that