IaC Security: What It Is and How It Works
When it comes to writing secure code, we mainly think about application security. Developers writing the code of an application need to follow security best practices and use application security scanning tools.
However, the application code isn't the only code that you should secure. Infrastructure teams also write code. In fact, infrastructure as code (IaC) is the most common way of automating infrastructure these days.
Because IaC isn't exposed to the internet, there's usually little to no security put in place. But if you take security seriously, you definitely should take a look at some IaC security best practices. In this post, you'll learn what IaC security actually means and how it works.
What Is IaC Security?
Just so we're on the same page, infrastructure as code security isn't the same as infrastructure security. The point of IaC security is to avoid cloud configuration issues and to provision cloud resources according to their security best practices. In contrast, infrastructure security is a continuous process of scanning already existing resources and reacting to vulnerabilities.
In theory, the better job you do on IaC security, the less work you'll have on infrastructure security. However, good infrastructure security acts as input for security improvements for IaC. So, you'll need both anyway! But think about it as IaC security being proactive and infrastructure security being reactive.
Why Is IaC Important?
Now that you understand what IaC actually is and what it isn't, let's talk about why it matters.
Nowadays, we often hear about data leaks from various companies. Hackers these days try to hack passwords and breakthrough firewalls, of course. But also, they often search for components of your infrastructure that are unwittingly exposed to the internet.
Cloud infrastructures are complex. In DevOps environments where application teams can manage their own infrastructure, it's easy to miss some configuration parameters and unintentionally expose some storage to the internet.
That's what hackers are searching for. They don't need to hack or crack anything. Instead, they just need to find a resource that wasn't properly secured in the first place.
That's exactly why IaC security is important. Your traditional infrastructure security probably won't cover such use cases, unless you specifically instruct it to. But even if you do, it's still reactive security—and it may be too late. With proper IaC scanning and policies in place, you'll save yourself from many headaches.
How Can You Secure IaC?
Now that you understand the importance of IaC, let's move to the point of this post. How do you actually secure IaC?
There are a few ways you can approach IaC security, but there are two most popular options: IaC scanning and policies.
We'll examine both options, but before we begin, there's something you need to be aware of. Just like with any other security considerations, it's not just a matter of installing some security tool. It's about limiting the risks. You can't secure everything.
It's also not a matter of picking one of the solutions below. Ideally, you'd use many ways of securing your IaC. That's because no one solution covers everything.
Option 1: IaC Scanning
The most popular and easiest way to secure your IaC is to use an IaC security scanner. These tools scan all your IaC and can automatically show you possible security issues.
However, such tools won't solve all the problems for you. Why? Some configuration options may be secure or insecure, depending on your use case.
For example, a storage account exposed to the internet can be a security risk if that storage holds customer data. However, if that storage needs to serve photos for your website, then it needs to be exposed to the internet. The IaC scanning tool won't know the difference. But that doesn't mean you're doomed! For those things that IaC scanning can't help with, you can use other methods of IaC security.
So, what does IaC scanning do exactly? What does it actually scan?
Well, it's very similar to application code scanning. It'll read all your code defining infrastructure and provide you with a report outlining some common security vulnerabilities.
How detailed will the investigation be? It depends on the tool you're using. Most well-known IaC scanning tools are good at understanding the specifics of big cloud providers like AWS, Azure, and GCP, so they can scan for common misconfigurations specific to these clouds. Most of them also integrate with CI/CD systems. That means you can make the process easy and automated.
Let's look at another popular option.
Option 2: Policies
Another common option for IaC security is creating and enforcing policies. You can do this in a few ways. You can either enforce policies on your cloud provider or in the IaC tooling itself. No matter how you do it, though, the idea is simple.
If you have some very clear requirements for your cloud security, you can enforce them with policies. That way, if something insecure ends up in the IaC code, it simply won't be possible to deploy it. The IaC tool will throw an error at you.
Let's consider an example to make this clearer. In some hybrid cloud scenarios, companies don't allow anything to be exposed to the internet from the cloud. That's because they want all the traffic coming to and from on-premises infrastructure. Therefore, instead of making sure that every resource defined in IaC has no public endpoints defined, you can simply create a policy that forbids any public IP addresses to be created for any resources. So even if someone defines, for instance, a virtual machine with public IP (either by mistake or not) and tries to run infrastructure automation, the pipeline will fail. This is an effective way of securing your IaC because it's tool agnostic.
However, as with any other option, it doesn't solve all the use cases. Policies work the best if you know upfront exactly what you need. They also work best if you want to apply something for all resources.
Let's return to our example. Maybe some resources can have public IPs, but others don't. If it depends on the group, department, application, and other factors, then it's a bit tricky to cover that with policies. You can still apply policies based on the department or resource group, of course. But the more logic you need, the more complicated it becomes to cover that with policies.
Summing Up and Learning More
IaC security will only become more popular. More companies are moving to the cloud and want to automate infrastructure provisioning. There's no doubt that people take security more seriously than ever before. Companies are also starting to realize that security isn't only about securing application code and having expensive firewalls in place. Most importantly, IaC security is an example of proactive security. This means it helps give you that peace of mind that your infrastructure is secure when you deploy it.