Infrastructure as Code Security and Best Practices | A Quick Guide

Introduction to Infrastructure as Code and Security

With the rapid adoption of DevOps by organizations worldwide, IaC has become a critical DevOps practice that has strengthened the software development methodology. Amidst the growing concerns over information security and data privacy, DevSecOps has gained popularity and Infrastructure as Code Security has been accepted as one of the most essential considerations in DevSecOps environment.

Its goal is to ensure that security best practices and compliance requirements are built into the IaC template files. These best practices and compliance requirements cover various aspects of information security such as data encryption, network segmentation, access control requirements, log collection and retention, and several others.

The consequences of ignoring its security can be severe and can lead to exposure of sensitive data to unauthorised users, data leakage, unauthorised access to business critical assets and resources, and increased attack surface. This can be evidenced from the Cloud Threat Report byPalo Alto Networks Unit 42 report

It is a crucial pillar that aligns DevOps, Security, and Compliance for Infrastructure Management processes. It enables the organizations to Shift Left security in the development pipeline, including infrastructure security management. The IaC templates that are used for building any infrastructure can be tested for security and compliance checks before being deployed. When this practice is integrated into CI/CD pipeline and versioning is enabled, it helps the organization to enhance the security posture and maintain security and compliance over time while making constant changes as per their business requirements. Therefore security risks, non-compliance, policy violations, and misconfigurations can be prevented before runtime and in production environments. It also helps to decrease security posture drifts.

What are the best practices of IaC security?

Here is a list of Best practices to follow for the Implementation of Security in Infrastructure as Code in an Enterprise

IaC Templates

The developers of IaC templates may use insecure default configurations and/or components with known vulnerabilities in the template/script that could pose a threat to the entire environment. Other sources of vulnerabilities may include operating systems or container images from unknown sources. 

Secrets

Secrets Management is one of the leading security risks involved with it. This issue's root cause is not the secret but how the developers store and manage these secrets. In most the cases, it has been observed that secrets are hard-coded, left in plain-text, or base63 encoded. These secrets involve authentication keys, passwords, access keys, SSH secrets, and access tokens. In a few cases, it has been witnessed that these secrets are even pushed to git public repos.

The Communication Channels

Most of the Infrastructure as Code configuration management tools use master-node architecture where the master is the controller and contains all specifications and configuration files. Security risks are significantly involved if the master is not secured. The communication between master and other nodes is not encrypted and layered security mechanisms have not been implemented from scratch.

User Access Management

When implementing it, you don't require root privileges. Security issues arise when Role-Based Access Controls (RBAC) and principles of least rights are not appropriately implemented. Credential sharing is also one of the significant issues that impacts user access management. 

Drifts in Configuration

Sometimes, there arises certain situations where configurations need to be changed directly in the production environment. In such cases, there is a reasonably positive chance that security risks are introduced into the environment as a result of resulting drifts in configuration from the defined security posture.

Ghost Resources

Untagged assets and assets that are not correctly tagged can result in the creation of ghost resources which make it challenging to monitor and track resources. If compromised, these resources may take very long to be detected and can be potentially dangerous in some cases.

Risks related to Data Transmissions

Securing data in transmit is equally important as securing data in rest. SSL certificates when not configured properly can significantly raise the security risks. Another major security risk associated with it is insecure VPN connections and configurations.

Audit Logs

Using Infrastructure as Code for deployment poses a major security threat if logging and monitoring components are not deployed to keep an eye on the security risks.

How to implement infrastructure as code security in it?

When considering Infrastructure as Code Security, IaC templates are given the highest priority and organizations mainly focus on the misconfigurations and policy violations in the template. Still, several other factors are involved in its security. One of the most important factors that organizations must consider is the least privilege principle. It plays a significant role in limiting damages from poorly configured resources or maliciously modified templates/scripts. The least privileges can be applied to IaC at three different levels.

1. Define who is authorized to run the scripts/templates.
2. Limit the permission to authorized users based on need to know and perform their task basis.
3. Implement checks and policies to ensure that created resources have the least required privileges to properly carry out the workload and compliant configurations. 

Security Policies and Configuration Checks must be developed and implemented

• Check for network exposures in IaC templates. Insecure IaC templates can expand the attack surface and pave ways for critical attack vectors. Security Groups, open ports, publicly accessible services and internet wide accessible storage databases are some of the critical things that must be checked.
• Check for vulnerabilities in container images referred to in the IaC template and disallow images from untrusted registries.
• Check for the use of privileged accounts and other snippets that could lead to privilege escalation.
• Check for immutability of infrastructure. Every change must be provisioned through the security pipeline and no configuration changes should be directly made. 
• Check for tags and labels. Untagged or unlabelled resources must not be deployed.
• Check for compliance violations. The policy checks and configuration checks should be in accordance with various compliance standards such as ISO 27001, GDPR, SOC2, PCI DSS, HIPAA, etc.
• Check for data security and data storage configurations. Data encryption is only one aspect of data security. Other misconfigurations in storage services and storage clusters can lead to data exposure.
• Check for hard-coded secrets and plain-text passwords in IaC templates.
• Check that logging and monitoring components are enabled across the environment.
• Check that components from untrusted and unverified sources are not being used. Follow whitelisting approach instead of blacklisting.