- Security researchers discussed vulnerabilities in Infrastructure-as-code (IaC)
- There are a number of different ways crooks could abuse the systems
- Issues also share defense mechanisms and workarounds
Security issues with infrastructure-as-code (IaC) and policy-as-code (PaC) specialized tools could put entire platforms, everywhere, at risk, experts have warned.
A report from cybersecurity researchers at Tenable have revealed how certain tools used to help manage cloud infrastructure and policies, such as Terraform and Open Policy Agent (OPA), could be hijacked and put to malicious use.
These tools use simplified coding languages which should make them safer than regular programming languages, but they’re still not without their flaws.
How to defend
“Since these are hardened languages with limited capabilities, they’re supposed to be more secure than standard programming languages – and indeed they are. However, more secure does not mean bulletproof,” the researchers said.
Discussing OPA, Tenable explained that it is a product that allows organizations to enforce rules, or policies, for managing cloud resources. It uses a language called Rego for these rules. Should a threat actor steal an access key, they would be able to add a fake Rego policy, approving malicious activity such as stealing sensitive data.
Terraform, on the other hand, helps companies define and manage cloud setups through code. Since it processes commands during workflows, it allows hackers to inject malicious code into the processes, which the tool then runs before anyone could notice. In theory, crooks could add a fake “data source” that results in malicious activity.
To protect against these attacks, researchers suggest teams use role-based access control (RBAC) to give people the minimum permissions they need, log actions at the application and cloud level for easier detection of suspicious behavior, and limit what apps and machines can access in terms of data and networks.
Furthermore, they suggest preventing unreviewed code or changes to run automatically in workflows, and using tools like Terrascan and Checkov to scan for issues in the infrastructure code before it’s deployed.