Securing cloud-native infrastructure is undergoing significant change for the past few years with the rise of DevOps tools, frameworks, and various automation frameworks making it almost effortless to write a few lines of code to spin up entire environments in the cloud from scratch. However, the challenge with making things so simple is that a single piece of misconfigured code can cause a cascading effect downstream (or upstream) and cause significant security issues if there are no specific guardrails or guidelines in place. Security teams often face this dilemma with Infrastructure-as-Code (IaC) processes and tools. Any automation framework used correctly can provide significant advantages in time to value and time-saving, but used incorrectly it can also massively amplify misconfigurations in IaC artifacts in cloud architectures. These can quickly propagate through the proverbial supply chain.
What is Infrastructure-as-Code (IAC)?
To put it simply, Infrastructure as Code (IaC) is an approach to set up and define all the required assets in a cloud environment using automation as opposed to configuring each resource manually through the cloud provider's console. A typical analogy in this to think of IaC templates is akin to building blueprints. There are several building blocks and codes that one needs to consider during this process and IaC is no different in terms of helping templatize and modularize the approach.
IaC allows us to apply this single configuration file over and over in a consistent, repeatable manner and the setup across these environments would remain consistent. Typical examples of using IaC are test environments where teams would stand up/tear down production-like environments or set up multiple instances on demand. Using IaC prevents manual intervention and also ensures that there are no deployment issues or configuration drifts.
Migrating these code-level issues and eliminating misconfigurations requires that organizations factor security into this engineering process. By “shifting left”, it helps organizations and engineers identify and eliminate these issues at a much earlier stage in the lifecycle before the artifacts are deployed and overall helps reduce the risk exposure. This approach requires scanning the code at various stages such as during code creation, commit, and within CI/CD pipelines. To make this approach work, let us examine below how we can achieve these using a Cloud Native Application Protection Platform (CNAPP) such as Zscaler Posture Control.
Choose Your Adventure
There are a few approaches to securing IaC but broadly they fall into three categories. To help visualize this, consider the following workflow and process diagram. There are various stages where we can plug in IaC scanning capabilities. First and foremost is to plug into the IDE environment such as Visual Studio Code to alert the DevOps engineer of security violations locally before the code is committed to a source code repository such as GitHub. This is the second step of evaluation, where we can evaluate the pull request for security compliance. Here, we have the ability to fail the pull/merge request if it is not in line with the required security policy framework we have established. Lastly, we can integrate these capabilities with a CI/CD framework such as Jenkins where we can fail a build and only allow the build to proceed when we can ensure security compliance.
IaC Scanner for Visual Studio Code
The IaC scanner in Posture Control for Visual Studio Code enables you to scan template files that are using Terraform, CloudFormation, Azure Resource Manager, and several other files by scanning the individual IaC files and directories to find and fix configuration errors before committing the code for deployment.
IaC Scanning for GitHub, Azure Repos, and GitLab
To leverage the IaC scanning capabilities in a source control repository such as the one mentioned above, we use the native integration capability to set up and allow access to the IaC source code repositories. Whenever we add or update code or make a pull request or use the push command to commit the code, the IaC scanning capabilities take effort and the platform will automatically scan the template to identify security misconfigurations, and policy violations and would display the scan results within the code. We can then take steps to fix the configuration issues in the IDE, ensure the code is secure and compliant, and then merge the code with the main branch.
Scanning with CI/CD tools - Jenkins, GitHub Actions, Terraform Cloud
￼Using an IaC scan plugin for Jenkins as an example allows us to identify security misconfigurations in the Terraform, CloudFormation templates for both freestyle and pipeline jobs in Jenkins. To get started with this integration, the administrator installs and authorizes the Zscaler IaC scan plugin on Jenkins to access the code repositories.
This short demonstration video shows examples of what "shift-left security" looks like in practice, where CNAPP findings are integrated directly into the tools that development and DevOps teams are already using, maximizing efficiency. Link to video.
See It For Yourself: Free Cloud Security Assessment
Posture Control is 100% agentless and can scan all of your AWS, Azure, and GCP environment to help identify and prioritize the assets that require your attention.We help combine the power of multiple point solutions such as CSPM, CIEM, CWPP and correlates across multiple security engines to prioritize hidden risks caused by misconfigurations, threats, and vulnerabilities across your public cloud stack, reducing costs, complexity, and cross-team friction. Find more details on how to request a Cloud Security Assessment from the team.