Divine Odazie
6 min readAug 29 2022
Top 3 Security Risks Facing Infrastructure as Code and their Prevention
Before Infrastructure as Code (IaC) managing IT infrastructure was a daunting task. System administrators, operation teams, and developers had to manually configure and manage all hardware and software required for applications to run.
With IaC, developers can quickly provision servers with specific operating systems, run containers, Kubernetes clusters, and even integrate third-party services using machine-readable templates.
Through IaC, organizations can build scalable and resilient software faster, reducing cost and addressing inconsistencies between the development and production environments. But with all these benefits, as with every software process, security risks exist.
This article discusses the top 3 security risks facing Infrastructure as Code and measures DevOps teams can take to avoid attacks. The top 3 security risks are:
- Misconfigurations in IaC templates
- Infrastructure drift
- Ghost resources
Misconfigurations in IaC Templates
Misconfigurations in an IaC template (such as YAML files, Terraform, or Helm Charts) can easily expose an organization’s environment leaving them vulnerable to attacks.
According to this report by Palo Alto Networks, nearly 200,000 insecure IaC templates are in use in production environments, and most of these vulnerabilities are due to misconfigurations. On top of that, more than 43% of cloud databases are currently unencrypted and only 60% of cloud storage services have logging enabled.
Now one might ask, how do these misconfigurations happen, and why are they at this scale? They are at this scale because as more people write open source boilerplate templates and blog posts, most forget to review to ensure they conform to IaC security best practices.
The image below from this talk on Infrastructure-as-code Security shows data of misconfigured open source Terraform modules.
And those misconfigured modules were downloaded 10 million times, as seen in the image below.
Although services provisioned with those misconfigurations aren’t necessarily exploitable, they still pose a huge risk.
How to Prevent IaC Template Misconfigurations
To prevent IaC template misconfigurations, DevOps teams must scan for these templates during pre-production. Scanning for misconfigurations in IaC pre-production templates means introducing checks and remediation during the development phase and represents a fundamental step for a secure DevOps workflow.
To integrate this step into their DevOps workflow, organizations can use tools like Bridgecrew to track every change in their IaC, scan those changes, and automatically fix misconfigurations before they move to the production environment.
Infrastructure Drift
In IaC, the concept of drift represents the difference between the originally defined values in a configuration to what’s running in production. A drift can be introduced by external actors (humans or scripts) or the IaC dependency on external data sources.
Drifts by External Actors
If an on-call SRE (site reliability engineer) logs on to the Cloud environment and manually creates or modifies resources otherwise controlled by Terraform, they introduce a drift. Also, suppose an external script updates a Kubernetes cluster in a way that conflicts with its CloudFormation definition; in that case, that is a drift as well.
Drifts by External Data Sources
If there's any change to the external data source it will show up as a drift too. For example, if a load balancer only expects to receive traffic from Amazon CloudFront, the DevOps team may want to restrict ingress to a predefined range of IP addresses. However, that range may be dynamic and their IaC tool queries it every time it runs.
When any of the above drift occurs, if unmanaged, it can lead to:
- Data breaches
- Application downtime
- Possible Deployment failures
How to Mitigate Infrastructure Drift
In the above scenarios, the drift caused by external actors is an unwanted by-product of emergencies or broken processes. The drift caused by external data sources is both desired and inevitable. That said, it is clear that drift occurs and teams can’t entirely prevent it.
But what can teams do? Well, what DevOps teams can do is to detect and reconcile drifts as they happen. See how the following tools can help teams detect and reconcile drifts:
Ghost Resources
Tagging cloud assets during development is critical to ensure compliance and governance in IaC. Failing to tag assets during IaC operations can result in “ghost” resources. These untagged assets are hard to detect and difficult for developers to observe as the observability of these assets may not be equivalent to the rest of the system.
Ghost assets can go undetected for long periods while consuming resources and creating potential attack vectors for an organization's infrastructure as code. In addition to the implications on security, ghost resources make it very challenging to assess the effect on operations like cost, maintenance, and reliability.
How to Prevent Ghost Resources
The only way to mitigate ghost resources is by careful tagging and monitoring for untagged resources.
Conclusion
This article explained the top 3 security risks facing Infrastructure as Code and measures DevOps teams can take to avoid attacks.
To learn more about other security risks facing IaC, check out the following resources:
- Securing Infrastructure as Code
- DevOps Security best practices
- 8 Infrastructure as Code Best Practices for Security
About the author
Consistency is key. That’s what Divine believes in and he says he benefits from that fact which is why he tries to be consistent in whatever he does. Divine is currently a Developer Advocate and Technical Writer who spends his days’ building, writing, and contributing to open-source software.days
More articles
Akshat Virmani
6 min readAug 24 2024
How to add GitHub Copilot in VS Code
Learn how to add GitHub Copilot to Visual Studio Code for AI-assisted coding. Boost productivity, reduce errors, and get intelligent code suggestions in seconds.
Read Blog
Akshat Virmani
6 min readAug 09 2024
Common API Integration Challenges and How to Overcome Them
Discover common API integration challenges and practical solutions. Learn how to optimize testing, debugging, and security to streamline your API processes efficiently.
Read Blog
Akshat Virmani
6 min readJun 20 2024
Web Scraping using Node.js and Puppeteer
Step-by-step tutorial on using Node.js and Puppeteer to scrape web data, including setup, code examples, and best practices.
Read Blog