One of the crucial aspects when building cloud infrastructure with IaC is sensitive information. It includes the architecture of the infrastructure, the secrets, data accessibility…and manipulating these sensitive information should be done by design. Because building and managing cloud infrastructures with IaC is not just a bench of Terraform files. That’s why we decided to share knowledge with the community and help mature the way we design, deploy and maintain infrastructure, especially in a fast moving industry where there are new cloud resources, new technologies, new threats almost every day. Discover Brainboard: https://www.brainboard.co/resources/pricing Watch the full webinar: https://www.linkedin.com/events/secretsiniacandhowtobuildasecur7072110574393806848/theater/

2. Chafik, CEO & Founder @Brainboard
Engineer, +16 years of experience.
Former CTO @Scaleway

3. Brainboard
Visually design & manage cloud infrastructures.

4. Summary
➢ Sensitive information of a cloud infrastructure
➢ How to manage secrets in IaC
➢ Security landscape
➢ Security best practices
➢ Real life use cases: Azure key vault & AWS KMS
➢ Brainboard in action

5. Goal
Raise awareness on IaC security
Share best practices
A bit of theory, a good dose of practice

6. Cloud infrastructure
Cloud infrastructure is NOT just a bunch of Terraform files.
People 👥 Process 🕓
Tools 🧰

7. Cloud infrastructure: Anatomy
- Diagram / blueprint
- Code (Terraform, Ansible, Pulumi, YAML, shell script…)
- Secrets / sensitive information
- Source of truth
- Traceability
- Pipelines → access to prod
- Access (people, systems, APIs…)

8. Cloud infrastructure: Anatomy
Blueprint ✍ Code 📝
Secrets 🔐
Traceability 📹
Pipeline 🚀
Access 🚪
Source of truth ✅
☁
Cloud resources
@
Cloud providers
�� ��
�� ��
��
��

9. Best practice
Single/unique source of truth for the infrastructure.

10. Terraform sensitive information
- Before deployment:
Provider(s) credentials
- During development:
Secrets & passwords & certificates
- During & after deployment:
State file & secrets

11. Terraform sensitive information
How to set them:
- Hardcode
- Env variables
- Vault
- Pipeline
- Encrypt

12. Environments:
- Git branches
- Terraform workspaces
- Separate folders
- Brainboard environments
Best practice
Isolate your environments → Reduce blast radius
Application / infrastructure
Production 🚀
Staging 🔗
Dev 📝

13. State file
- Isolate state by layer / architecture
- Not everyone should have access to the state
- Use remote encrypted backend
- Backup / version your state

14. Security landscape
- Static code analysis
- tfsec
- terrascan
- OPA
- Checkov
- Vaults:
- Azure key vault
- AWS KMS
- SOPS
- Remote backends: S3, Azure blob storage, TFC

15. Implementation
Azure key vault
AWS KMS

16. Thank you 🤗
Ping me / us if you need help