Presentation for Google DevFest 2022 Caribbean which discusses the approach to securing IaaC including TerraForm

1. Port of Spain
Obika Gellineau
Manager - Cyber Services, KPMG Caricom
Securing Infrastructure
as a Code

2. Agenda
● What is IaC?
● IaC Automation Tools
● IaC in Software Development
● IaC Security

3. What is IaC?

4. What is Infrastructure as a Code?
IaC is an IT infrastructure provisioning process where computer systems
are automatically, managed and provisioned through human-readable
definition files rather than physical or interactive configuration tools

5. Deployment - Traditional vs IaC
Traditional IaC
GUI GUI
Platform Specific
Scripts
Common Data Format
Files
Manual Configuration Automated
Software Supply
Chain
Individual Software
Version Control
Version Control
Similar
Different
Legend

6. Benefits of IaC
● Automation across multi-cloud
(e.g. GCP, AWS, Azure)
● Cost reduction in configuring
large infrastructure
● Integrates with CI/CD Pipelines
● Reduction in human error (e.g.
misconfiguration)
● Visibility of infrastructure
across the organization
● Can be imperative (procedural)
or declarative (functional)
● Source control and versioning
● Easy validation through code
review and automated tests

7. IaC Automation
Tools

8. IaC Automation Tools
To support administrators and developers in the automation of virtual infrastructure, Continuous
Configuration Automation (CCA) Tools are used.
Tool Open Source Owner/Maintainer
Ansible Yes RedHat
CFEngine Yes CFEngine
Chef Yes Chef
Otter No Inedo
Pulumi Yes Pulumi
Puppet Yes Puppet
SaltStack Yes SaltStack
Terraform Yes HashiCorp

9. IaC Example
Example of a TerraForm
JSON definition file for
GCP which outlines:
1. Cloud Region and Zone
2. Project ID
3. Secrets
4. Computing Resource
5. Software dependencies
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "3.5.0"
}
}
}
provider "google" {
credentials = file("creds.json")
project = "EXAMPLE-PROJECT"
region = "us-central1"
zone = "us-central1-c"
}
resource "google_compute_network" "vpc_network" {
name = "terraform-network"
}
resource "google_compute_instance" "vm_instance" {
name = "terraform-instance"
machine_type = "f1-micro"
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
network_interface {
network = google_compute_network.vpc_network.name
access_config {
}
}
}

10. IaC in Software
Development

11. Software Development Workflow
IDE Plugins (e.g.
TFLint, Ansible-
Lint, etc.)
Testing
Version Control
Develop Release Deploy
Git / SVN /
Mercurial
SAST &
Code Reviews
DAST &
Penetration
Testing
Cloud Service
Monitoring
JSON, YAML, etc.

12. IaC Security

13. IaC Security Best Practices
1. Avoid using IaC Templates
1. Enable Audit Logs in your IaC files
1. Utilize Secrets Management built into IaC Tools. Don’t hardcode creds!!
1. Assign project user access based on the principle of “least privilege”
1. Name and tag all resources in your IaC files for inventory tracking
1. Use version control for tracking of IaC files.

14. IaC Security Best Practices
7. Use Open Source Dependency Checking tools to identify potential risks.
(e.g. Snyk, WhiteSource Bolt, etc.)
7. Use Static Analysis tools to identify misconfigurations and risks. (e.g.
Terrascan, Snyk, kubescan, etc.)
7. Use Container Image Scanning tools to detect vulnerabilities in your
containers. (e.g. Clair, Trivy, Anchore)
7. Use Dynamic Analysis tools to evaluate existing environments for potential
security risks. (e.g. ZAP, BURP, OpenVAS, etc.)

15. THANK YOU
linkedin.com/obikag