In our State of Open Source Terraform Security Report, we analyze the public Terraform Registry which contains thousands of open source modules used to provision cloud resources. Leveraging our open-source static analysis tool Checkov, we scanned the Registry to gauge compliance of modules across categories and cloud providers.
Read the full the report here to dig into some of our top findings:
- Nearly 1 in 2 modules used to build resources for AWS, Azure, and Google Cloud is misconfigured.
- Misconfigured modules have been downloaded over 15 million times since 2017.
- Q2 2020 had the highest quarter-over-quarter module growth and an increase in misconfigurations.
Infrastructure-as-code security is one of—if not the—biggest cloud security challenges facing cloud-native teams today. Traditional security posture management solutions lack visibility into code that provisions cloud resources, and developers rely on the governance of resources in production. The resulting misalignment is a huge challenge that we’ve seen all too often in the last year.
To help shed light on this challenge, address its risks, and provide suggestions on how to overcome it, we’re thrilled to publish this security research report.
Overall compliance of the Terraform Registry
As the biggest consolidated resource for open-source IaC modules, the Terraform Registry represents a big portion of the overall infrastructure-as-code ecosystem. That’s why we started here—to see how the community prioritizes security and gauge the general state of infrastructure-as-code security.
One of the key messages in this report is that there’s a lot of room for improvement when it comes to defining security controls within individual IaC resources.
We also delve into the modules by popularity to get a more contextual sense of how misconfigurations are utilized in real applications. The Registry is a widely used resource—its modules have been downloaded over 26M times—which means misconfigurations in popular modules can have a huge impact.
Compliance across cloud providers
Compliance best practices and configuration settings differ across AWS, Azure, and Google Cloud. To narrow in on misconfigured categories within each cloud provider, we look at both the most prevalent check categories across providers and the most frequently occurring failing checks in each.
Going a step further, we also identify trends within specific categories and provide analysis on why some misconfigurations are common, and how to prevent them.
At Bridgecrew, we believe that defining cloud security controls as early as possible is best practice. Not only is it the best way to prevent risk in the first place, but it’s also the most cost-effective approach to securing cloud infrastructure at scale. We hope that with this data in hand, teams will be better equipped to understand their current IaC security posture and to fill existing IaC security gaps.