- Security researchers discussed vulnerabilities in infrastructure-as-code (IaC)
- There are a number of different ways that criminals can abuse the systems
- Problems also share defense mechanisms and solutions
Security issues with specialized infrastructure-as-code (IaC) and policy-as-code (PaC) tools could compromise entire platforms everywhere, experts warn.
A report from cybersecurity researchers at Tenable has revealed how certain tools used to help manage cloud infrastructure and policies, such as Terraform and Open Policy Agent (OPA), can be hijacked and used maliciously.
These tools use simplified coding languages, which should make them more secure than regular programming languages, but they are still not without their flaws.
How to defend
“Since these are hardened languages with limited capabilities, they should be more secure than standard programming languages – and they are. However, safer does not mean bulletproof,” the researchers said.
Discussing OPA, Tenable explained that it is a product that allows organizations to enforce rules or policies for managing cloud resources. It uses a language called Rego for these rules. Should a threat actor steal a passkey, he or she could add a fake Rego policy, which authorizes malicious activities such as stealing sensitive data.
Terraform, on the other hand, helps companies define and manage cloud configurations through code. Because it processes commands during workflows, hackers can inject malicious code into the processes, which the tool then executes before anyone notices. In theory, crooks could add a fake ‘data source’ that leads to malicious activity.
To protect against these attacks, researchers suggest teams use role-based access control (RBAC) to give people the minimum permissions they need, log application- and cloud-level actions for easier detection of suspicious behavior, and restrict what apps and machines can access. in the field of data and networks.
Additionally, they suggest preventing unchecked code or changes from being automatically executed in workflows, and using tools like Terrascan and Checkov to scan for issues in infrastructure code before deploying.