Shifting Terraform security left

Shifting Terraform
security left
Gareth Rushgrove

View Slide

Gareth Rushgrove
Director, Product Management, Snyk
Devops Weekly curator
Open Source contributor
@garethr

View Slide

Agenda Cloud security
01
Static analysis
02
Example Terraform tools
03
Demos
04
Conclusions
05

View Slide

Cloud security
Standards, benchmarks and best practices

View Slide

The financial giant said the
intruder exploited a
configuration vulnerability
“
“
Configuration is a security risk

View Slide

Some kind of misconﬁguration
is encountered on an
penetration test over
96% of the time.
“
“

View Slide

While CSPs often provide tools
to help manage cloud
conﬁguration, misconﬁguration
of cloud resources remains the
most prevalent cloud
vulnerability
“
“

View Slide

Center for Internet Security
Benchmarks

View Slide

CIS Benchmarks
Azure and AWS

View Slide

Static analysis
What and why

View Slide

Static analysis
Static program analysis is the analysis of
computer software that is performed
without actually executing programs

View Slide

A typical testing progression
Acceptance
tests
Unit tests
Integration
tests
Static
analysis

View Slide

The importance of fast feedback
Acceptance
tests
Unit tests
Integration
tests
Static
analysis
Fast Middling Slow Slower

View Slide

Insecure Terraform
Can you spot issues in the following code?
resource "aws_security_group_rule" "my-rule" {
type = "ingress"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_alb_listener" "my-alb-listener" {
port = "80"
protocol = "HTTP"
}
resource "aws_db_security_group" "my-group" {
}
resource "azurerm_managed_disk" "source" {
encryption_settings {
enabled = false
}
}

View Slide

Insecure Terraform
type = "ingress"
cidr_blocks = ["0.0.0.0/0"]
}
port = "80"
protocol = "HTTP"
}
}
enabled = false
}
}
Wide open ingress rule

View Slide

Insecure Terraform
type = "ingress"
cidr_blocks = ["0.0.0.0/0"]
}
port = "80"
protocol = "HTTP"
}
}
enabled = false
}
}
Use of unencrypted transport protocol

View Slide

Insecure Terraform
type = "ingress"
cidr_blocks = ["0.0.0.0/0"]
}
port = "80"
protocol = "HTTP"
}
}
enabled = false
}
}
Unencrypted storage

View Slide

Example Terraform tools
Things to try out

View Slide

Terrascan
github.com/cesar-rodriguez/terrascan

View Slide

Terrascan
Project overview
A collection of security and best practice tests for
static code analysis of terraform templates using
terraform_validate.
Active, started 4 months ago
333
Python
35 rules, mainly for AWS
@cesar-rodriguez
Ran 16 tests in 0.015s
OK
Processed 19 files in
C:\DEV\terraforms\backends\10-network-analytics
Results (took 1.08 seconds):
Failures: (2)
[high] [aws_dynamodb_table.encryption.server_side_encryption.ena
[high] [aws_s3_bucket.noEncryption] should have property: 'server
Errors: (0)

View Slide

Terraﬁrma
github.com/wayfair/terraﬁrma

View Slide

Terrafirma
Project overview
Terrafirma is a Terraform static analysis tool
designed for detecting security misconfigurations.
Inactive, created 2 years ago
17
Python
14 rules, mainly for GCP
---
ISSUE FW_1
- Source range open to Internet
- SEVERITY WARN
- RESOURCE example_fw_rule.google_compute_firewall
---
ISSUE FW_2
- SSH Open
- SEVERITY INFO
- RESOURCE example_fw_rule.google_compute_firewall

View Slide

Checkov
github.com/bridgecrewio/checkov

View Slide

Checkov
Project overview
Checkov is a static code analysis tool for
infrastructure as code. It scans cloud infrastructure
managed in Terraform and detects misconﬁgurations.
Active, created 3 months ago
511
Python
50 rules, for AWS, Azure and GCP
@schosterbarak, @tronxd,
@guyeisenkot, @nimrodkor
Passed checks: 4, Failed checks: 0, Skipped checks: 0
Check: "Ensure all data stored in the S3 bucket is securely
encrypted at rest"
PASSED for resource: aws_s3_bucket.foo-bucket
File: /example.tf:1-25
Check: "Ensure the S3 bucket has access logging enabled"
PASSED for resource: aws_s3_bucket.foo-bucket
File: /example.tf:1-25

View Slide

tfsec
github.com/liamg/tfsec

View Slide

tfsec
Project overview
tfsec uses static analysis of your terraform
templates to spot potential security issues
- Checks for sensitive data inclusion across all
providers
- Checks for violations of AWS, Azure and GCP
security best practice recommendations
- Scans modules (currently only local modules
are supported)
- Evaluates expressions as well as literal values
927
35 rules, mainly for AWS
@liamg

View Slide

tfsec
Detect common conﬁguration issues
$ tfsec
5 potential problems detected:
Problem 1
[AWS018][ERROR] Resource 'aws_security_group_rule.my-rule' should include a description for auditing purposes.
/Users/garethr/Documents/terraform-security/main.tf:1-4
1 | resource "aws_security_group_rule" "my-rule" {
2 | type = "ingress"
3 | cidr_blocks = ["0.0.0.0/0"]
4 | }
5 |
6 | resource "aws_alb_listener" "my-alb-listener"{
7 | port = "80"
See https://github.com/liamg/tfsec/wiki/AWS018 for more information.
Problem 2
[AWS006][WARNING] Resource 'aws_security_group_rule.my-rule' defines a fully open ingress security group rule.
/Users/garethr/Documents/terraform-security/main.tf:3
Decision
(any JSON value)

View Slide

Conftest
github.com/instrumenta/conftest

View Slide

Conftest
Project overview
Write tests against structured conﬁguration data
using the Open Policy Agent Rego query language.
- Currently supports YAML, JSON, INI, TOML,
HOCON, HCL, CUE, Dockerﬁle, HCL2, EDN, VCL
and XML
- Share policies using OCI registries, Git, S3
- Built-in debugging and testing tools
828
Write your own rules
@garethr, @jpreese, @blokje5,
@boranx, @KeisukeYamashita,
@xchapter7x, @proplex, ...

View Slide

Conftest
Running tests against your conﬁguration
$ conftest test -i hcl2 main.tf
FAIL - main.tf - ALB `my-alb-listener` is using HTTP rather than HTTPS
FAIL - main.tf - ASG `my-rule` defines a fully open ingress
FAIL - main.tf - Azure disk `source` is not encrypted
Decision
(any JSON value)

View Slide

What is Open Policy Agent?
github.com/open-policy-agent/opa
Service
OPA
.rego
Query
(any JSON value)
Decision
(any JSON value)
Data
(JSON)
Policy
(Rego)
Request, Event, etc. - An open source policy engine
- Written in Go
- WebAssembly support coming along
- A CNCF project
- Usable as a library and a service
- A vibrant open source community
- Provides a declarative DSL for writing policy called Rego

View Slide

Conftest
Write assertions in Rego
package main
deny[msg] {
proto := input.resource.aws_alb_listener[lb].protocol
proto == "HTTP"
msg = sprintf("ALB `%v` is using HTTP rather than HTTPS", [lb])
}
deny[msg] {
rule := input.resource.aws_security_group_rule[name]
rule.type == "ingress"
contains(rule.cidr_blocks, "0.0.0.0/0")
msg = sprintf("ASG `%v` defines a fully open ingress", [name])
}

View Slide

Conftest
Write unit tests for Rego in Rego
test_blank_input {
no_violations with input as {}
}
test_correctly_encrypted_azure_disk {
no_violations with input as {"resource": { "azurerm_managed_disk": { "sample": { "enc
}
test_unencrypted_azure_disk {
deny["Azure disk `sample` is not encrypted"] with input as {"resource": { "azurerm_ma
}

View Slide

Conftest integrations
Easy to run in common CI/CD systems

View Slide

Demo

View Slide

Conclusions
If all you remember is...

View Slide

Cost/beneﬁt
Static analysis is cheap to run, but
can result in false positives and
false negatives

View Slide

Developer proximity
The closer feedback is provided to the
original author of the code, the
cheaper it should be to address issues

View Slide

Terraform tooling
Lots of new Terraform development
tools emerging at the moment (not
just for static analysis)

View Slide

Shift security left
Automatically catching security issues
during development means less
issues in production, and more time
to focus on ﬁnding and ﬁxing them

View Slide

Thanks for listening
Sign up for free at snyk.io/signup

View Slide

Shifting Terraform security left

Shifting Terraform security left

Gareth Rushgrove

More Decks by Gareth Rushgrove

Other Decks in Technology

Featured

Transcript