Automating IaC security with Tfsec and Terraform

Transcript

1. Automating Infrastructure as Code Security with TFSEC and TERRAFORM Ashok

   Kalakoti | 30th-Jan-2023

2. Disclaimer The views and opinions expressed in this presentation are

   solely those of the author and do not necessarily reflect the views of any organization or entity the author may be affiliated with.

3. Who Am I? Areas of Interests in work Ashok Kalakoti

   Technology enthusiast – Cloud and DevSecOps practices /ashok-kalakoti/

4. Take a note! Security is everyone's concern, and capturing risks

   early is always better than facing problems later on

5. Key takeaways o Problem statement o Importance of IaC scanning

   o How to apply Dev(Sec)Ops principals for IaC deployments o Shift-Left approach for IaC o Policy as Code – Preventive controls in pipeline o Demo – Design Terraform module and scanning with TFSec

6. Source: https://www.digitalnewsasia.com/business/singapore-slow-response-security-breaches-infoblox Look back and take forward step

7. Source: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Cloud-Data-Breach-infographic-pdf.ashx https://msrc-blog.microsoft.com/2022/10/19/investigation-regarding-misconfigured-microsoft-storage-location-2/ Everything works, until something really breaks?

8. Why do these Cloud Security Breaches happen? Source: https://www.gartner.com/smarterwithgartner/is-the-cloud-secure

9. Now what do you decide? – Security or Speed?

10. How to mitigate the Cloud misconfigurations? key elements to address

    when integrating security in the iac pipeline

11. Applying DevSecOps principles for IaC deployments 1. Centralize provisioning workflow

    for all the teams 2. Build Reusable Patterns and Reference Architectures 3. Implement Principal of Least Privilege for accessing the workflow and IaC Code 4. Ensuring keeping the Dry principal to maintain the code minimal and efficient 5. Use code scanner to prevent the cloud misconfigurations before you provisioned. 6. Use Terraform workspaces or branching strategy to segregate the AWS workloads 7. Make sure that the backend infrastructure has enough protection. State files will contain all sensitive information that goes through Terraform (keys, secrets, generated passwords etc.)

12. Choosing the right IaC Scanning Tool TfSec Checkov Others +

13. Is this Code looks okay? resource "aws_db_instance" "db" { instance_class

    = "db.t3.micro" engine = "mysql" publicly_accessible = true allocated_storage = 50 max_allocated_storage = 100 } resource “aws_ecs_service”“ecs”{ name = “ecsApp” … ordered_placement_strategy { type = “binpack” … } } Tool

14. Policy as code for Preventive Controls source: private.example.com/myapp source: public.example.com/otherapp

    module "frontend" { source = "git::https://private.example.com?ref=myapp-v0.0.6" kms_key_arn = module.kms.key_arn } Running: myapp module "frontend" { source = " git::https://public.example.com?ref=otherapp-v0.0.6" kms_key_arn = module.kms.key_arn }

15. TfSec pre-validation plugin for IDE

16. Jenkins pipeline for Terraform workflow

17. TFSec Scanning in Terraform workflow

18. Demo

19. Thank you!