Last week we joined HashiCorp to talk about infrastructure as code (IaC) and Terraform security best practices. Presented by Bridgecrew co-founder and VP of Product, Guy Eisenkot, and HashiCorp Senior Developer Advocate, Kerim Satirli, this webinar also covered developer security best practices and common IaC security mistakes.
Watch the 40-minute webinar recording below or keep reading for a quick recap. You can also check out the slides here.
Introduction
Our goal at Bridgecrew is to bridge the gap between infrastructure that gets planned and programmed in IaC and the resources running in public clouds by creating a unified model for securing infrastructure wherever it is.
Bridgecrew is an infrastructure security platform that connects throughout the cloud infrastructure ecosystem, with a significant focus on Terraform.
Terraform, the IaC framework by HashiCorp, empowers operators and developers to deploy cloud resources in a predictable way by codifying infrastructure. Because it translates different environments and cloud providers into a unified language, it fosters incredible scale, reproducibility, and consistency when committing or rolling back infrastructure changes.
Learn the basic anatomy of a Terraform resource, plan, and apply.
As many companies accelerate their digital transformations, Terraform Cloud makes complex infrastructure workflows simple. It provides teams with a collaborative workflow to review and iterate on infrastructure and has full API support for in-depth integrations with VCS, GitOps, and CI/CD.
Infrastructure as code security best practices
For fast-moving development companies and cloud-native environments, IaC helps make sense of the changes and evolution of infrastructure. It also provides an opportunity to apply code and cloud security practices throughout the development lifecycle, from code and commit to build and deploy through to operation.
IaC gives us so many opportunities to turn manual, one-off tasks into automated and codified practices.
After analyzing over 20K open-source Terraform modules in GitHub, we found that almost one in two failed to comply with a security best practice benchmark. Although it’s not surprising that these building blocks have been created and shared with functionality in mind, we as developers need to be aware of the risks and opportunities associated with IaC. It’s easy for security to become an afterthought, and there’s so much to lose when infrastructure is misconfigured.
IaC has a huge impact on the overall posture of your environment, and it’s important to model IaC as a core focal point for your cloud security going forward.
The best way to do that is to apply automation and policy as code to analyze and implement consistent infrastructure in your development lifecycle. IaC security provides a huge opportunity for development teams that want to adopt a stricter benchmark as a part of every code review. This approach to IaC security also fosters collaboration by allowing everybody to be involved in governance.
Automated IaC security is essential because it’s incredibly easy to miss misconfigurations hiding in plain sight. Without automation, detecting misconfigurations is difficult and time-consuming to detect.
Tooling to help teams address both IaC security and cloud security is a great way to find and fix security issues as fast as they occur. Powered by automation, Bridgecrew delivers IaC misconfiguration fixes as code in pull requests and remediations of runtime cloud security issues as arrays of serverless functions.
Watch the demo starting at 30:57 to see Bridgecrew in action using GitHub and GitHub Actions to find and fix Terraform misconfigurations. Jump to specific solutions using the navigation links below:
- Committing a pull request deploying a cloud resource
- Analyzing the log in Terraform Cloud
- Reviewing GitHub Action log to see identified misconfigurations such as missing encryption
- Jumping into Bridgecrew, see how to connect to your infrastructure code and cloud providers
- Monitoring violations over time with cloud security posture dashboard
- Reviewing policies, filtering by category, severity, or account
- Digging into an S3 bucket policy for having logging enabled
- Remediating issues with a fix pull request
Final thoughts and words of advice
- Compliance and governance is no longer a single-person job. It’s important to focus on the quality of engineering now more than ever. Because if we all have skin in the game, it’s a lot easier to fix issues and improve security as a team effort.
- We have access to a ton of tooling to secure your code—locally, in the cloud, via GitHub Actions, etc. Those layers can be complicated in terms of management but are great when it comes to hardening your code. Invest the time to get the tooling in place when you’re starting out so you can use it for multiple repositories in the future.
- Experiment responsibly. There are so many great resources for securing Terraform, including open source tooling. As you get more infrastructure into your public cloud, always be conscious of the supply chain and find good ways to test continuously.
When you elevate your cloud security by implementing infrastructure as code, Bridgecrew is here to help and it’s free to sign up. To learn how to get started with Bridgecrew and Terraform, check out this step-by-step tutorial.