$30 off During Our Annual Pro Sale. View Details »

Shifting Terraform security left

Shifting Terraform security left

How do you know if the HCL you're writing will result in secure infrastructure? How can you write tests to catch common problems? One of the advantages of infrastructure as code is that we can reason about the code before we run it. In this talk we'll look at the area of configuration security, discuss some of the issues around static analysis of Terraform and look at some open source tools that can help with testing your Terraform code.

Gareth Rushgrove

February 20, 2020
Tweet

More Decks by Gareth Rushgrove

Other Decks in Technology

Transcript

  1. Shifting Terraform
    security left
    Gareth Rushgrove

    View Slide

  2. Gareth Rushgrove
    Director, Product Management, Snyk
    Devops Weekly curator
    Open Source contributor
    @garethr

    View Slide

  3. Agenda Cloud security
    01
    Static analysis
    02
    Example Terraform tools
    03
    Demos
    04
    Conclusions
    05

    View Slide

  4. Cloud security
    Standards, benchmarks and best practices

    View Slide

  5. The financial giant said the
    intruder exploited a
    configuration vulnerability


    Configuration is a security risk

    View Slide

  6. Some kind of misconfiguration
    is encountered on an
    penetration test over
    96% of the time.


    Configuration is a security risk

    View Slide

  7. While CSPs often provide tools
    to help manage cloud
    configuration, misconfiguration
    of cloud resources remains the
    most prevalent cloud
    vulnerability


    Configuration is a security risk

    View Slide

  8. Center for Internet Security
    Benchmarks

    View Slide

  9. CIS Benchmarks
    Azure and AWS

    View Slide

  10. Static analysis
    What and why

    View Slide

  11. Static analysis
    Static program analysis is the analysis of
    computer software that is performed
    without actually executing programs

    View Slide

  12. A typical testing progression
    Acceptance
    tests
    Unit tests
    Integration
    tests
    Static
    analysis

    View Slide

  13. The importance of fast feedback
    Acceptance
    tests
    Unit tests
    Integration
    tests
    Static
    analysis
    Fast Middling Slow Slower

    View Slide

  14. Insecure Terraform
    Can you spot issues in the following code?
    resource "aws_security_group_rule" "my-rule" {
    type = "ingress"
    cidr_blocks = ["0.0.0.0/0"]
    }
    resource "aws_alb_listener" "my-alb-listener" {
    port = "80"
    protocol = "HTTP"
    }
    resource "aws_db_security_group" "my-group" {
    }
    resource "azurerm_managed_disk" "source" {
    encryption_settings {
    enabled = false
    }
    }

    View Slide

  15. Insecure Terraform
    Can you spot issues in the following code?
    resource "aws_security_group_rule" "my-rule" {
    type = "ingress"
    cidr_blocks = ["0.0.0.0/0"]
    }
    resource "aws_alb_listener" "my-alb-listener" {
    port = "80"
    protocol = "HTTP"
    }
    resource "aws_db_security_group" "my-group" {
    }
    resource "azurerm_managed_disk" "source" {
    encryption_settings {
    enabled = false
    }
    }
    Wide open ingress rule

    View Slide

  16. Insecure Terraform
    Can you spot issues in the following code?
    resource "aws_security_group_rule" "my-rule" {
    type = "ingress"
    cidr_blocks = ["0.0.0.0/0"]
    }
    resource "aws_alb_listener" "my-alb-listener" {
    port = "80"
    protocol = "HTTP"
    }
    resource "aws_db_security_group" "my-group" {
    }
    resource "azurerm_managed_disk" "source" {
    encryption_settings {
    enabled = false
    }
    }
    Use of unencrypted transport protocol

    View Slide

  17. Insecure Terraform
    Can you spot issues in the following code?
    resource "aws_security_group_rule" "my-rule" {
    type = "ingress"
    cidr_blocks = ["0.0.0.0/0"]
    }
    resource "aws_alb_listener" "my-alb-listener" {
    port = "80"
    protocol = "HTTP"
    }
    resource "aws_db_security_group" "my-group" {
    }
    resource "azurerm_managed_disk" "source" {
    encryption_settings {
    enabled = false
    }
    }
    Unencrypted storage

    View Slide

  18. Example Terraform tools
    Things to try out

    View Slide

  19. Terrascan
    github.com/cesar-rodriguez/terrascan

    View Slide

  20. Terrascan
    Project overview
    A collection of security and best practice tests for
    static code analysis of terraform templates using
    terraform_validate.
    Active, started 4 months ago
    333
    Python
    35 rules, mainly for AWS
    @cesar-rodriguez
    Ran 16 tests in 0.015s
    OK
    Processed 19 files in
    C:\DEV\terraforms\backends\10-network-analytics
    Results (took 1.08 seconds):
    Failures: (2)
    [high] [aws_dynamodb_table.encryption.server_side_encryption.ena
    [high] [aws_s3_bucket.noEncryption] should have property: 'server
    Errors: (0)

    View Slide

  21. Terrafirma
    github.com/wayfair/terrafirma

    View Slide

  22. Terrafirma
    Project overview
    Terrafirma is a Terraform static analysis tool
    designed for detecting security misconfigurations.
    Inactive, created 2 years ago
    17
    Python
    14 rules, mainly for GCP
    ---
    ISSUE FW_1
    - Source range open to Internet
    - SEVERITY WARN
    - RESOURCE example_fw_rule.google_compute_firewall
    ---
    ISSUE FW_2
    - SSH Open
    - SEVERITY INFO
    - RESOURCE example_fw_rule.google_compute_firewall

    View Slide

  23. Checkov
    github.com/bridgecrewio/checkov

    View Slide

  24. Checkov
    Project overview
    Checkov is a static code analysis tool for
    infrastructure as code. It scans cloud infrastructure
    managed in Terraform and detects misconfigurations.
    Active, created 3 months ago
    511
    Python
    50 rules, for AWS, Azure and GCP
    @schosterbarak, @tronxd,
    @guyeisenkot, @nimrodkor
    Passed checks: 4, Failed checks: 0, Skipped checks: 0
    Check: "Ensure all data stored in the S3 bucket is securely
    encrypted at rest"
    PASSED for resource: aws_s3_bucket.foo-bucket
    File: /example.tf:1-25
    Check: "Ensure the S3 bucket has access logging enabled"
    PASSED for resource: aws_s3_bucket.foo-bucket
    File: /example.tf:1-25

    View Slide

  25. tfsec
    github.com/liamg/tfsec

    View Slide

  26. tfsec
    Project overview
    tfsec uses static analysis of your terraform
    templates to spot potential security issues
    - Checks for sensitive data inclusion across all
    providers
    - Checks for violations of AWS, Azure and GCP
    security best practice recommendations
    - Scans modules (currently only local modules
    are supported)
    - Evaluates expressions as well as literal values
    Active, started 4 months ago
    927
    35 rules, mainly for AWS
    @liamg

    View Slide

  27. tfsec
    Detect common configuration issues
    $ tfsec
    5 potential problems detected:
    Problem 1
    [AWS018][ERROR] Resource 'aws_security_group_rule.my-rule' should include a description for auditing purposes.
    /Users/garethr/Documents/terraform-security/main.tf:1-4
    1 | resource "aws_security_group_rule" "my-rule" {
    2 | type = "ingress"
    3 | cidr_blocks = ["0.0.0.0/0"]
    4 | }
    5 |
    6 | resource "aws_alb_listener" "my-alb-listener"{
    7 | port = "80"
    See https://github.com/liamg/tfsec/wiki/AWS018 for more information.
    Problem 2
    [AWS006][WARNING] Resource 'aws_security_group_rule.my-rule' defines a fully open ingress security group rule.
    /Users/garethr/Documents/terraform-security/main.tf:3
    Decision
    (any JSON value)

    View Slide

  28. Conftest
    github.com/instrumenta/conftest

    View Slide

  29. Conftest
    Project overview
    Write tests against structured configuration data
    using the Open Policy Agent Rego query language.
    - Currently supports YAML, JSON, INI, TOML,
    HOCON, HCL, CUE, Dockerfile, HCL2, EDN, VCL
    and XML
    - Share policies using OCI registries, Git, S3
    - Built-in debugging and testing tools
    Active, started 10 months ago
    828
    Write your own rules
    @garethr, @jpreese, @blokje5,
    @boranx, @KeisukeYamashita,
    @xchapter7x, @proplex, ...

    View Slide

  30. Conftest
    Running tests against your configuration
    $ conftest test -i hcl2 main.tf
    FAIL - main.tf - ALB `my-alb-listener` is using HTTP rather than HTTPS
    FAIL - main.tf - ASG `my-rule` defines a fully open ingress
    FAIL - main.tf - Azure disk `source` is not encrypted
    Decision
    (any JSON value)

    View Slide

  31. What is Open Policy Agent?
    github.com/open-policy-agent/opa
    Service
    OPA
    .rego
    Query
    (any JSON value)
    Decision
    (any JSON value)
    Data
    (JSON)
    Policy
    (Rego)
    Request, Event, etc. - An open source policy engine
    - Written in Go
    - WebAssembly support coming along
    - A CNCF project
    - Usable as a library and a service
    - A vibrant open source community
    - Provides a declarative DSL for writing policy called Rego

    View Slide

  32. Conftest
    Write assertions in Rego
    package main
    deny[msg] {
    proto := input.resource.aws_alb_listener[lb].protocol
    proto == "HTTP"
    msg = sprintf("ALB `%v` is using HTTP rather than HTTPS", [lb])
    }
    deny[msg] {
    rule := input.resource.aws_security_group_rule[name]
    rule.type == "ingress"
    contains(rule.cidr_blocks, "0.0.0.0/0")
    msg = sprintf("ASG `%v` defines a fully open ingress", [name])
    }

    View Slide

  33. Conftest
    Write unit tests for Rego in Rego
    test_blank_input {
    no_violations with input as {}
    }
    test_correctly_encrypted_azure_disk {
    no_violations with input as {"resource": { "azurerm_managed_disk": { "sample": { "enc
    }
    test_unencrypted_azure_disk {
    deny["Azure disk `sample` is not encrypted"] with input as {"resource": { "azurerm_ma
    }

    View Slide

  34. Conftest integrations
    Easy to run in common CI/CD systems

    View Slide

  35. Demo

    View Slide

  36. Conclusions
    If all you remember is...

    View Slide

  37. Cost/benefit
    Static analysis is cheap to run, but
    can result in false positives and
    false negatives

    View Slide

  38. Developer proximity
    The closer feedback is provided to the
    original author of the code, the
    cheaper it should be to address issues

    View Slide

  39. Terraform tooling
    Lots of new Terraform development
    tools emerging at the moment (not
    just for static analysis)

    View Slide

  40. Shift security left
    Automatically catching security issues
    during development means less
    issues in production, and more time
    to focus on finding and fixing them

    View Slide

  41. Thanks for listening
    Sign up for free at snyk.io/signup

    View Slide