Infrastructure as code (IaC), an essential component of contemporary software, enables developers to spin up software infrastructure while offering systems the ability to grow in a flexible and on-demand manner. Tools that make these configurations based on a programmatic method fall under the category of IaC, including:
- AWS CloudFormation
- Azure Resource Manager
- Helm Charts
- Progress Chef
- Red Hat Ansible
IaC has altered the process of deploying environments for online services and applications. Rather than managing physical system configurations, developers can instead use scripts written in code to spin up infrastructures.
While this simplicity raises concerns about dependability and security, with the latter being more significant, it’s vital to recognise and address the top five challenges of IaC.
1. IaC template configuration and image vulnerabilities
Developers include base images in IaC templates to provision infrastructure. These models become prone to security flaws when developers fail to use base images from trusted registries. This increases the likelihood of adding vulnerabilities to a project, ostensibly growing the cost of remediation. In addition, container images add to these challenges, making it difficult to differentiate between application and infrastructure.
Security teams often hardcode sensitive information via secret keys, access codes, and IP addresses in IaC templates. Data should instead be stored in services that provide the required information upon creating the infrastructure plan, including AWS Secrets Manager and Microsoft Azure Key Vault.
When initiating an IaC plan, developers using Terraform generate state files should store these in a remote state location, such as Amazon S3 with proper permissions, instead of pushing to version control.
Before using an IaC template, catch syntax errors by validating it with the current infrastructure deployment or an infrastructure tool, while performing sanity and security checks after the deployment. Developers can mitigate this risk by:
- Performing a vulnerability assessment of the images listed in IaC files
- Detecting vulnerabilities early in the development life cycle
- Running IaC scans on IaC configuration files for known vulnerabilities
- Avoid hardcoding sensitive information in IaC templates and version control software
2. Configuration drift
When active in the IaC environment, configuration drift often introduces security risks. This includes:
- Human input
- Poor configuration
- Applications undergoing unintended changes
- Entering manual edits into a cloud terminal while treating these as code
While developers can scan for the environment using automated tools, when configuration changes are made directly in the production environment, the immutability of cloud infrastructure is broken. As bypassing pre-deployment testing increases the risk of human error, teams should avoid manually editing infrastructure after deployment while updating or remediating any infrastructure through code.
Mitigating configuration drift relies on maintaining the immutability of the infrastructure. This can be achieved by recognising configuration drifts between your environments, in addition to:
- Increasing the cloud resource coverage of your coded infrastructure across cloud environments
- Using a security tool to scan IaC scripts during development
- Constructing pipelines to quickly identify misconfigurations
- Using IaC tools to identify infrastructure synchronisation
- Using an open-source drift detection tool to identify drift issues in production
- Building recurring jobs to alert developers to configuration changes
- Regularly updating configurations in the environment
3. Access management and failure to enforce the principle of least privilege
Although developers often require privileged access to specific systems, this creates a risk of unnecessary entry into mission-critical systems. The most common hazard stems from cloud administrators providing users with extensive permissions when they only require a subset of those permissions to complete tasks.
The concept of “least privilege” refers to granting restricting user or developer accounts permission to only the data required for their jobs, or continuously evaluating levels of access across accounts and “trimming” unnecessary privileges. Implementing the principle of least privilege (PoLP) limits developers and users from accessing sensitive data or materials, reducing the chance of introducing security risks into IaC.
Cloud administrators generally enforce access management using IAM (identity access management). This assists companies in implementing the concept of “least privilege” while ensuring that developers and users only use the required services to complete their tasks.
It is also recommended to secure sensitive data by using storage options like, Azure Key Vault, that can classify data as “sensitive” at the point of creation. And as time goes on, it’s good practice to remove redundant data from codebases.
Because threat actors often target inactive accounts, it is important to regularly identify and delete all inactive accounts when implementing the PoLP.
4. Secrets management
Credentials are a recurring need when creating and managing infrastructures, enabling services to communicate adeptly. It’s important for these to share the authentication and permissions granted in the service context.
As a service attempting to connect to another service (an application trying to connect to a database, for example), the connection is authenticated and read access is granted. These services often contain sensitive information such as:
- SSH keys
- API tokens
- Database user IDs and passwords
- Access and secret keys
- RSA key pairs
- Encryption keys
As it’s important to keep these infrastructure secrets in a secure place, IaC necessitates a robust secret management protocol. This ensures sensitive data is protected and threat actors cannot compromise secrets.
While this can be managed by employing a clearly defined central policy—helping you identify and determine which privileges your processes or applications requires—other solutions include:
- Failing to hardcode secrets into scripts
- Restricting the visibility of secrets to the applications that own them
- Transmitting secrets through encrypted channels such as TLS 2.0 or HTTPS
5. Ghost resources
Failing to tag assets during IaC operations can result in “ghost” resources. These untagged assets are challenging to detect and visualise and is difficult for developers to observe within the cloud. In addition, the observability of these resources may not be equivalent to the rest of the system. They consume resources, create potential attack vectors, and affect posture—potentially causing a drift.
These "ghost" resources can increase billing, make maintenance difficult, and reduce reliability. In addition, these untagged resources can as gateways to security breaches since they represent a risky attack surface. It is imperative to tag and monitor untagged resources to mitigate these risks.
With the competence of IaC comes the obligation to manage security concerns. Failing to follow best practices introduces security risks to infrastructures. Insecure IaC creates cloud environments that could result in compliance violations and cloud data breaches.
When setting up your company's infrastructure using IaC, following these key practices can shrink your digital attack surface and mitigate cyber risk across your organisation:
- Limit the number of people with administrative access using IAM
- Use VPN and SSL encryption to secure data communications
- Automatically update pipelines whenever you make new changes
- Analyze new commits for cloud deployment modifications
- Integrate regular security checks into IaC development workflows