Shifting Terraform security left

Shifting Terraform security left

How do you know if the HCL you're writing will result in secure infrastructure? How can you write tests to catch common problems? One of the advantages of infrastructure as code is that we can reason about the code before we run it. In this talk we'll look at the area of configuration security, discuss some of the issues around static analysis of Terraform and look at some open source tools that can help with testing your Terraform code.

98234c645fe8c935edc0fec0186d28b8?s=128

Gareth Rushgrove

February 20, 2020
Tweet

Transcript

  1. Shifting Terraform security left Gareth Rushgrove

  2. Gareth Rushgrove Director, Product Management, Snyk Devops Weekly curator Open

    Source contributor @garethr
  3. Agenda Cloud security 01 Static analysis 02 Example Terraform tools

    03 Demos 04 Conclusions 05
  4. Cloud security Standards, benchmarks and best practices

  5. The financial giant said the intruder exploited a configuration vulnerability

    “ “ Configuration is a security risk
  6. Some kind of misconfiguration is encountered on an penetration test

    over 96% of the time. “ “ Configuration is a security risk
  7. While CSPs often provide tools to help manage cloud configuration,

    misconfiguration of cloud resources remains the most prevalent cloud vulnerability “ “ Configuration is a security risk
  8. Center for Internet Security Benchmarks

  9. CIS Benchmarks Azure and AWS

  10. Static analysis What and why

  11. Static analysis Static program analysis is the analysis of computer

    software that is performed without actually executing programs
  12. A typical testing progression Acceptance tests Unit tests Integration tests

    Static analysis
  13. The importance of fast feedback Acceptance tests Unit tests Integration

    tests Static analysis Fast Middling Slow Slower
  14. Insecure Terraform Can you spot issues in the following code?

    resource "aws_security_group_rule" "my-rule" { type = "ingress" cidr_blocks = ["0.0.0.0/0"] } resource "aws_alb_listener" "my-alb-listener" { port = "80" protocol = "HTTP" } resource "aws_db_security_group" "my-group" { } resource "azurerm_managed_disk" "source" { encryption_settings { enabled = false } }
  15. Insecure Terraform Can you spot issues in the following code?

    resource "aws_security_group_rule" "my-rule" { type = "ingress" cidr_blocks = ["0.0.0.0/0"] } resource "aws_alb_listener" "my-alb-listener" { port = "80" protocol = "HTTP" } resource "aws_db_security_group" "my-group" { } resource "azurerm_managed_disk" "source" { encryption_settings { enabled = false } } Wide open ingress rule
  16. Insecure Terraform Can you spot issues in the following code?

    resource "aws_security_group_rule" "my-rule" { type = "ingress" cidr_blocks = ["0.0.0.0/0"] } resource "aws_alb_listener" "my-alb-listener" { port = "80" protocol = "HTTP" } resource "aws_db_security_group" "my-group" { } resource "azurerm_managed_disk" "source" { encryption_settings { enabled = false } } Use of unencrypted transport protocol
  17. Insecure Terraform Can you spot issues in the following code?

    resource "aws_security_group_rule" "my-rule" { type = "ingress" cidr_blocks = ["0.0.0.0/0"] } resource "aws_alb_listener" "my-alb-listener" { port = "80" protocol = "HTTP" } resource "aws_db_security_group" "my-group" { } resource "azurerm_managed_disk" "source" { encryption_settings { enabled = false } } Unencrypted storage
  18. Example Terraform tools Things to try out

  19. Terrascan github.com/cesar-rodriguez/terrascan

  20. Terrascan Project overview A collection of security and best practice

    tests for static code analysis of terraform templates using terraform_validate. Active, started 4 months ago 333 Python 35 rules, mainly for AWS @cesar-rodriguez Ran 16 tests in 0.015s OK Processed 19 files in C:\DEV\terraforms\backends\10-network-analytics Results (took 1.08 seconds): Failures: (2) [high] [aws_dynamodb_table.encryption.server_side_encryption.ena [high] [aws_s3_bucket.noEncryption] should have property: 'server Errors: (0)
  21. Terrafirma github.com/wayfair/terrafirma

  22. Terrafirma Project overview Terrafirma is a Terraform static analysis tool

    designed for detecting security misconfigurations. Inactive, created 2 years ago 17 Python 14 rules, mainly for GCP --- ISSUE FW_1 - Source range open to Internet - SEVERITY WARN - RESOURCE example_fw_rule.google_compute_firewall --- ISSUE FW_2 - SSH Open - SEVERITY INFO - RESOURCE example_fw_rule.google_compute_firewall
  23. Checkov github.com/bridgecrewio/checkov

  24. Checkov Project overview Checkov is a static code analysis tool

    for infrastructure as code. It scans cloud infrastructure managed in Terraform and detects misconfigurations. Active, created 3 months ago 511 Python 50 rules, for AWS, Azure and GCP @schosterbarak, @tronxd, @guyeisenkot, @nimrodkor Passed checks: 4, Failed checks: 0, Skipped checks: 0 Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest" PASSED for resource: aws_s3_bucket.foo-bucket File: /example.tf:1-25 Check: "Ensure the S3 bucket has access logging enabled" PASSED for resource: aws_s3_bucket.foo-bucket File: /example.tf:1-25
  25. tfsec github.com/liamg/tfsec

  26. tfsec Project overview tfsec uses static analysis of your terraform

    templates to spot potential security issues - Checks for sensitive data inclusion across all providers - Checks for violations of AWS, Azure and GCP security best practice recommendations - Scans modules (currently only local modules are supported) - Evaluates expressions as well as literal values Active, started 4 months ago 927 35 rules, mainly for AWS @liamg
  27. tfsec Detect common configuration issues $ tfsec 5 potential problems

    detected: Problem 1 [AWS018][ERROR] Resource 'aws_security_group_rule.my-rule' should include a description for auditing purposes. /Users/garethr/Documents/terraform-security/main.tf:1-4 1 | resource "aws_security_group_rule" "my-rule" { 2 | type = "ingress" 3 | cidr_blocks = ["0.0.0.0/0"] 4 | } 5 | 6 | resource "aws_alb_listener" "my-alb-listener"{ 7 | port = "80" See https://github.com/liamg/tfsec/wiki/AWS018 for more information. Problem 2 [AWS006][WARNING] Resource 'aws_security_group_rule.my-rule' defines a fully open ingress security group rule. /Users/garethr/Documents/terraform-security/main.tf:3 Decision (any JSON value)
  28. Conftest github.com/instrumenta/conftest

  29. Conftest Project overview Write tests against structured configuration data using

    the Open Policy Agent Rego query language. - Currently supports YAML, JSON, INI, TOML, HOCON, HCL, CUE, Dockerfile, HCL2, EDN, VCL and XML - Share policies using OCI registries, Git, S3 - Built-in debugging and testing tools Active, started 10 months ago 828 Write your own rules @garethr, @jpreese, @blokje5, @boranx, @KeisukeYamashita, @xchapter7x, @proplex, ...
  30. Conftest Running tests against your configuration $ conftest test -i

    hcl2 main.tf FAIL - main.tf - ALB `my-alb-listener` is using HTTP rather than HTTPS FAIL - main.tf - ASG `my-rule` defines a fully open ingress FAIL - main.tf - Azure disk `source` is not encrypted Decision (any JSON value)
  31. What is Open Policy Agent? github.com/open-policy-agent/opa Service OPA .rego Query

    (any JSON value) Decision (any JSON value) Data (JSON) Policy (Rego) Request, Event, etc. - An open source policy engine - Written in Go - WebAssembly support coming along - A CNCF project - Usable as a library and a service - A vibrant open source community - Provides a declarative DSL for writing policy called Rego
  32. Conftest Write assertions in Rego package main deny[msg] { proto

    := input.resource.aws_alb_listener[lb].protocol proto == "HTTP" msg = sprintf("ALB `%v` is using HTTP rather than HTTPS", [lb]) } deny[msg] { rule := input.resource.aws_security_group_rule[name] rule.type == "ingress" contains(rule.cidr_blocks, "0.0.0.0/0") msg = sprintf("ASG `%v` defines a fully open ingress", [name]) }
  33. Conftest Write unit tests for Rego in Rego test_blank_input {

    no_violations with input as {} } test_correctly_encrypted_azure_disk { no_violations with input as {"resource": { "azurerm_managed_disk": { "sample": { "enc } test_unencrypted_azure_disk { deny["Azure disk `sample` is not encrypted"] with input as {"resource": { "azurerm_ma }
  34. Conftest integrations Easy to run in common CI/CD systems

  35. Demo

  36. Conclusions If all you remember is...

  37. Cost/benefit Static analysis is cheap to run, but can result

    in false positives and false negatives
  38. Developer proximity The closer feedback is provided to the original

    author of the code, the cheaper it should be to address issues
  39. Terraform tooling Lots of new Terraform development tools emerging at

    the moment (not just for static analysis)
  40. Shift security left Automatically catching security issues during development means

    less issues in production, and more time to focus on finding and fixing them
  41. Thanks for listening Sign up for free at snyk.io/signup