Conference:  Global AppSec San Francisco 2022

Authors: Aakash Shah

2022-11-18

Infrastructure-as-code adoption continues to grow as more organizations seek to automate deployments and better manage the complexity of their cloud applications. Increasingly, development teams are taking ownership of IaC for their application as the boundaries between the application and infrastructure layers continue to blur in the Cloud. Terraform (more accurately - Hashicrop Configuration Language (HCL)) is one of the most widely used infrastructure-as-code (IaC) languages at the forefront of this transformation with over 100M open-source downloads.There are a lot of public Terraform projects available to developers to quickly learn and build from. Terraform also offers modules - an abstraction that allows infrastructure developers to write modular and clean code, allowing them to accelerate development and better maintain this code. And there are many community-driven open-source Terraform modules available for developers to reference in their Terraform code to quickly design & deliver changes to infrastructure.As of today, there are over 90k public repositories on GitHub with Terraform (HCL) code and over 15k open-source terraform modules. As an infrastructure developer if you utilize a community Terraform module or build from an existing example, how can you be assured that your infrastructure design will meet your security needs? What steps do you need to take to ensure that your cloud-native deployment is both secure & compliant?We used automation to assess public Terraform repositories and modules across Github to identify the most common security gaps against industry best practices. We selected best practices based on Cloud Service Provider reference architectures, Cloud Security Alliance, CIS benchmarks and OWASP. To limit the scope, we focused on Terraform for AWS and Azure resources. In this talk, we will share results of this assessment and provide lessons learned. Since this is OWASP, we’ll present the top 10 classes of security issues we found. We will then discuss security best practices for using community Terraform modules and building your cloud architectures from public Terraform repositories.