Liam and Owen from Aqua Security join us to share their work on the open source static analysis tool, tfsec. They give us an introduction to infrastructure as code with terraform, then explain what are the common problems they are trying to solve with tfsec. Finally, they tell us all about getting started with tfsec and getting involved with the project.
The opposite of infrastructure as code is setting up and maintaining your infrastructure in the cloud console. You will very quickly forget what and how you set up your resources. This is sometimes known as ClickOps.
On the other side, IaC uses tools like AWS CloudFormation, terraform or Pulumi to give you declarative code which you can execute idempotently. It gives a consistent, repeatable way of defining infrastructure. Checking in the code into source control also allows you to review and scale the working of the infrastructure across multiple teams.
Managing large infrastructures in the console is almost and impossible task, so IaC is the generally preferred solution.
Terraform is a human readable and machine readable language. It is simple and it lets you define all kinds of resources. For example, with a few lines of code you can define an S3 bucket. However, these resources need to be configured correctly, which can be quite a complicated task.
Third party Terraform modules allow us to package up definitions of everything from a simple resource to an entire systems. Using industry standard modules are a great way to ensure that your resources are secure as well.
Modules are also a great way to enable teams to do things in a standard way. For example, you could have the central platform team creating a bastion module, which other teams within the same organisation can leverage in their work.
There are a lot of examples where misconfigurations have caused large issues, either compliance or financial issues. Using the example of the S3 bucket, we could set an ACL on the bucket for authenticated reads. We would assume that this means authenticated users in our own account would be able to read the bucket. However, once we read the docs, we'd realise that any user authenticated in any account would be able to read the bucket, which could be a potentially huge security issue.
These kinds of issues happen often and is one of the reasons tfsec was created.
tfsec is an open source static code analysis tool written in Go. Terraform itself is written in Go, so tfsec was able to use their parser to find patterns in configuration. tfsec works in a similar way to the Terraform CI tool as well, making it a reliable tool. tfsec tries to analyze code as close to the Terraform process as possible, analysing the output HCL code. This makes it easier to resolve the executed state of the code, as opposed to its snapshot state.
Other tools had to use regular expressions instead, which is more difficult to build. Regular expressions are suitable for easy pattern matching, but an unsustainable tool for more complicated rules.
tfsec also uses custom checks to identify the particular line that causes the misconfiguration. It can write comments on PRs to let you know what needs fixing. Initially, the functionality was built together with the parser. This has been refactored to analyze the intermediary state of resources, without being tied to provider specific functionality and making it suitable to a variety of providers.
Terraform has a lot of quickly changing providers. The great community around tfsec steps in and are able to help with making all the required changes. tfsec is frequently released and has a great turnover for bug fixing.
If you are using tfsec, then you can use the standard checks, but also write your own custom checks that suit your needs. The team would be greatful if you could share any checks that might be useful to the rest of the community as well. Recently, tfsec also has support for Rego.
tfsec integrates with Aqua Security Trivy which allows you to scan a wide variety of resources, not just terraform.
Adelina is a polyglot engineer and developer relations professional, with a decade of technical experience at multiple startups in London. She started her career as a Java backend engineer, converted later to Go, and then transitioned to a full-time developer relations role. She has published multiple online courses about Go on the LinkedIn Learning platform, helping thousands of developers up-skill with Go. She has a passion for public speaking, having presented on cloud architectures at major European conferences. Adelina holds an MSc. Mathematical Modelling and Computing degree.
Blogs · 10 min
A subdomain takeover is a class of attack in which an adversary is able to serve unauthorized content from victim's domain name. It can be used for phishing, supply chain compromise, and other forms of attacks which rely on deception. You might've heard about CNAME based or NS based subdomain takeovers.
October 27, 2023
Blogs · 4 min
In this blogpost, David introduces us to the five W's of information gathering - Who? What? When? Where? Why? Answering the five Ws helps Incident Managers get a deeper understanding of the cause and impact of incidents, not just their remedy, leading to more robust solutions. Fixing the cause of an outage is only just the beginning and the five Ws pave the way for team collaboration during investigations.
July 26, 2023
Blogs · 4 min
Patrycja, Artur and Marcin are engineers at Form3 and some of our most accomplished speakers. They join us to discuss their motivations for taking up the challenge of becoming conference speakers, tell us how to find events to speak at and share their best advice for preparing engaging talks. They offer advice for new and experienced speakers alike.
July 19, 2023