Upgrade to Pro — share decks privately, control downloads, hide ads and more …

APIsecure 2023 - How to abuse Terraform to elev...

apidays
PRO
March 21, 2023
Programming
0
84

APIsecure 2023 - How to abuse Terraform to elevate access, Mike McCabe

APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023

How to abuse Terraform to elevate access
Mike McCabe, President at Cloud Security Partners

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays
PRO

March 21, 2023
Tweet

More Decks by apidays

See All by apidays
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security Challenges by Eli Arkush, Akamai
apidays
PRO
0
26
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finnlines and Grimaldi Lines by Vesa Vähämaa, Finnlines
apidays
PRO
0
24
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hanna Sillanpaa, Abloy
apidays
PRO
0
17
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
apidays
PRO
0
27
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Testing with K6 by Ayush Goyal, Grafana Labs
apidays
PRO
0
16
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli Kilpeläinen, Betolar
apidays
PRO
0
13
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovský, Thermo Fisher Scientific
apidays
PRO
0
28
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giraldo, ING
apidays
PRO
0
25
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring Them Together by Merja Kajava, Aavista Oy
apidays
PRO
0
13

Other Decks in Programming

See All in Programming
マルチモジュールにおけるテスト最適化
fxwx23
0
210
Hono・Prisma・AWSでGeoなAPI開発
nokonoko1203
5
680
GraphQLとGigaViewer for Apps
numeroanddev
2
110
React + TextAliveでカッコいいLyric Applicatioinを作ろう!!
tosuri13
0
400
ECMAScript、Web標準の型はどう管理されているか / How ECMAScript and Web standards types are maintained
petamoriken
3
390
Go1.23で入った errorsパッケージの小さなアプデ
kuro_kurorrr
2
400
Ruby Parser progress report 2024
yui_knk
2
230
Swiftコードバトル必勝法
toshi0383
0
170
私のEbitengineの第一歩
qt_luigi
0
450
A New Era of Testing
mannodermaus
2
520
Understand the mechanism! Let's do screenshots tests of Compose Previews with various variations / 仕組みから理解する!Composeプレビューを様々なバリエーションでスクリーンショットテストしよう
sumio
3
840
Jakarta EE meets AI
ivargrimstad
0
390

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.1k
How to Ace a Technical Interview
jacobian
274
23k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.4k
WebSockets: Embracing the real-time Web
robhawkes
59
7.3k
What's new in Ruby 2.0
geeforr
340
31k
Creatively Recalculating Your Daily Design Routine
revolveconf
215
12k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
190
16k
Large-scale JavaScript Application Architecture
addyosmani
508
110k
Done Done
chrislema
180
16k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
5
480
Gamification - CAS2011
davidbonilla
79
5k
GraphQLとの向き合い方2022年版
quramy
43
13k

Transcript

  1. INFRASTRUCTURE AS REMOTE CODE EXECUTION

  2. INTRODUCTION • Michael McCabe • President of Cloud Security Partners

    • Help clients with cloud strategy and security • Passionate about infrastructure as code

  3. WHAT ARE WE TALKING ABOUT • Terraform • Infrastructure as

    code • Codified and consistent “With Terraform, you can create, modify, and destroy your infrastructure in a consistent and repeatable way.”

  4. BENEFITS • Centralize deployments • Deploy consistent infrastructure • Codified

    infrastructure • Can apply security controls for preventative measures

  5. CHALLENGES • Terraform is often given high privileged roles •

    Multiple ways to use Terraform to execute code • Terraform is a great way to gather data about an environment • Various ways to bypass security controls

  6. OUR EXPERIENCE • Helped move large financial organizations to self

    service model • Thousands of rules • Dozens of services • Thousands of users • Zero security findings from deployed infrastructure • Powerful preventative control • Maps to internal and external controls

  7. HOW DOES IT WORK • Terraform plan – plans what

    will be created, updated, or destroyed • Calculates the current state and end state • Creates dependency tree • Outputs plan for what will be created, updated, destroyed • Determines unknown values… • Terraform apply – creates the infrastructure • Makes changes based on plan • Updates state to track the current environment • Outputs changes
  8. None
  9. None
  10. None

  11. TERRAFORM STATE • Stores current state of environment • Used

    to managed updates, deletes • Drift detection • Holds secrets..
  12. None
  13. None
  14. None

  15. TERRAFORM APIS Dozens of APIs Privileged APIs Update state Update

    variables Various levels of access
  16. None

  17. TECHNIQUES • Provisioners • remote-exec • local-exec • file •

    dns • Data • external-data • http

  18. REMOTE-EXEC • Used to run scripts on remote hosts after

    provisioning • Anti-pattern • Introduces code to infrastructure deployments “they also add a considerable amount of complexity and uncertainty to Terraform usage”

  19. REMOTE EXEC • Setup an EC2 • Determine connection •

    Create reverse shell to external IP

  20. LOCAL-EXEC • Invokes a process on the machine running Terraform

    • Anti-pattern • Introduces code to infrastructure deployments • Utilizes highly privileged Terraform role “Important: Use provisioners as a last resort. There are better alternatives for most situations.”

  21. LOCAL-EXEC • Completes infrastructure build • Runs curl command against

    metadata endpoint • Curls output to remote webserver

  22. SEMGREP • Basic pattern matching • Integrate with pipelines •

    Fast • Opensource rulesets

  23. SOLUTIONS?

  24. DATA GATHERING METHODS • HTTP Provider • External data •

    Many more

  25. HTTP PROVIDER

  26. None

  27. SOLUTIONS?

  28. None

  29. WE WANT MORE More in-depth testing Resource specific checks Decision

    making logic

  30. SOLUTIONS • OPA Rego • Hashicorp Sentinel

  31. None
  32. None
  33. None

  34. AFTER UNKNOWNS • Values aren’t in plan • Values are

    created • Easy to manipulate • Bypasses plan time checks • Must have explicit checks

  35. SOLUTIONS - LAYER YOUR DEFENSES • IAM • Build patterns

    for use cases • Service guard rails • IAM • Code review – testing • Plan security enforcement • Lock down Terraform environment • Segment deployments • Monitoring

  36. IAM • Build use case or application specific roles and

    policies • Use principle of least privilege • Build guardrails for IAM • IAM conditionals • Monitor changes

  37. PATTERNS • Design patterns for service use cases • Document

    the guardrails • Design IAM policies down to minimum

  38. HARDEN SERVICES

  39. CODE REVIEW • Automated code review in the pipeline •

    Check for bad pre-plan practices • Provisioners • Custom code • Enforce standards

  40. MONITORING • Monitor IAM changes for Terraform roles • Monitor

    deployed resources for delta with standards • Monitor changes in your Terraform environment

  41. CONCLUSIONS Terraform is a powerful tool to standardize and centralize

    deployments High signal and effective security integrations points Implementation must be well thought out Controls at multiple layers Monitor for anomalies

  42. THANK YOU! [email protected] CloudSecurityPartners.com @mccabe615