SlideShare a Scribd company logo

How secure are your Terraform sensitive values?

M
Marko Bevc

This talk will focus on how to securely manage sensitive values, such as secrets, passwords and keys, early on (shift left) in Terraform code. We will explore options how to tackle this and avoid the most common pitfalls we have observed at The Scale Factory while working with our clients. Using available mechanisms in the latest Terraform release I will also demo how we can better handle sensitive values in our infrastructure definitions.

Software
1 of 15
Download to read offline
HOW SECURE ARE YOUR TERRAFORM SENSITIVE VALUES?_ Marko Bevc
SECURE ENOUGH?_ “Security through obscurity should never be the only security mechanism!”
ABOUT ME_ ● Senior Consultant at The Scale Factory (DevOps consultancy, AWS advanced consulting partner and K8s service provider) ● Ops background: Senior IT infrastructure engineer and System Architect (extensive Linux and virtualization experience) ● Certifications and competencies: AWS, CKA, RHEL, HCTA ● Open source contributor and supporter ● Fan of automation/simplifying things, hiking, cycling and travelling @_MarkoB https://www.linkedin.com/in/marko-bevc/
TOPICS COVERED_ ● Terraform workflows (security aspect and exposure, attack vector and risks) ● Sensitive values leaks & prevention ● Demo and code examples ● Conclusions and takeaways
INFRASTRUCTURE TF WORKFLOW OVERVIEW_ DATA REGULAR PROCESSES REGULAR PROCESSES WORKLOADS network
WORKFLOWS EXPOSURE_ • Workflow types: –CLI (OSS binary) and wrappers (TerraGrunt) –Automated pipeline runs (Atlantis, GitHub Actions, CircleCI) –Managed SaaS offering (TFC) • Results in shift of exposure points: –code and repository –state/lock –execution environment and sensitive values –security perimeter & responsibility!
SECRETS IN CODE_ • Most “obvious” pitfall to avoid • Hard-coded secretes/ sensitive values in code • Terraform repository scanning, code reviews and good team security awareness/culture • Remediation: – Dynamically inject from environment – Stored externally in a sealed environment (Vault/HCP, AWS SecretsManager/SSM, Google, etc.) with encryption at rest + transit – Randomization to reduce risk points (human factor*) • Is this enough? #1
KEEPING STATE SECURE_ ● More interesting and most important security aspect ● Even if using external secrets (injected or secure solution) Terraform needs to keep state current in order to detect changes ● Solution: ensure state is safe (encryption at rest/transit and access control) ● Native encryption in the state is hard - deprecated! #2
OUTPUT AND AUDIT TRAIL_ • Usually forgotten • Logging and backups can also reveal sensitive information • Terraform 0.14+ has a concept of ‘sensitive’ values (variables, providers), but it is not encrypting or obscuring it in the state! • Responsibility might differ in workflows • Keeping clean logs and trails is a good practice (also personal information) • Also don’t forget about log encryption and control access #3
variable "db-pass" { type = string description = "Default DB password" default = null sensitive = true } resource "aws_db_instance" "db" { allocated_storage = 10 allow_major_version_upgrade = true apply_immediately = true storage_type = "gp2" engine = "mariadb" engine_version = "10.5" instance_class = "db.t2.micro" name = "mydb" username = "username" password = var.db-pass skip_final_snapshot = true } example.tf
TIME FOR DEMO!_
CONCLUSIONS_ & TAKEAWAYS ● Security is hard! ● Protect your crown jewels: – repository code – state – output/logs ● Use multiple layers of security, scan code and defence in depth (tfsec, checkov, AWS Config, Cloud custodian, Prowler) ● Familiarise people with responsibilities and procedure - not just technical problem ● Avoid weak links in the IaC security chain
● Resources: – https://www.scalefactory.com/blog/2020/12/02/are-we-there-yet-terraform-0.14/ – https://www.terraform.io/docs/extend/best-practices/sensitive-state.html – https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code- 1d586955ace1 – https://geekflare.com/aws-vulnerability-scanner/ – https://thorsten-hans.com/six-golden-rules-of-infrastructure-as-code-iac – https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html – https://www.terraform.io/cloud – https://www.vaultproject.io/ – https://www.hashicorp.com/cloud-platform FURTHER READING_
KEEP IN TOUCH_ https://www.scalefactory.com/ @_MarkoB @mbevc1 @mbevc1 https://www.linkedin.com/in/marko-bevc/ https://www.scalefactory.com/ Web: Twitter: GitHub: GitLab: LinkedIn:

Recommended

Terraform 0.13: Rise of the modules
Terraform 0.13: Rise of the modulesTerraform 0.13: Rise of the modules
Terraform 0.13: Rise of the modules
Marko Bevc
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweights
Iago López Galeiras
 
Altitude SF 2017: Nomad and next-gen application architectures
Altitude SF 2017: Nomad and next-gen application architecturesAltitude SF 2017: Nomad and next-gen application architectures
Altitude SF 2017: Nomad and next-gen application architectures
Fastly
 
Hey Terraform, build me GCP Infrastructure
Hey Terraform, build me GCP InfrastructureHey Terraform, build me GCP Infrastructure
Hey Terraform, build me GCP Infrastructure
Pradeep Bhadani
 
Altitude SF 2017: Stories from TED
Altitude SF 2017: Stories from TEDAltitude SF 2017: Stories from TED
Altitude SF 2017: Stories from TED
Fastly
 
Nomad Multi-Cloud
Nomad Multi-CloudNomad Multi-Cloud
Nomad Multi-Cloud
Nic Jackson
 
Devoxx 2016 talk: Going Global with Nomad and Google Cloud Platform
Devoxx 2016 talk: Going Global with Nomad and Google Cloud PlatformDevoxx 2016 talk: Going Global with Nomad and Google Cloud Platform
Devoxx 2016 talk: Going Global with Nomad and Google Cloud Platform
Bastiaan Bakker
 
Effective terraform
Effective terraformEffective terraform
Effective terraform
Calvin French-Owen
 

Recommended

Terraform 0.13: Rise of the modules
Terraform 0.13: Rise of the modulesTerraform 0.13: Rise of the modules
Terraform 0.13: Rise of the modules
Marko Bevc
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweights
Iago López Galeiras
 
Altitude SF 2017: Nomad and next-gen application architectures
Altitude SF 2017: Nomad and next-gen application architecturesAltitude SF 2017: Nomad and next-gen application architectures
Altitude SF 2017: Nomad and next-gen application architectures
Fastly
 
Hey Terraform, build me GCP Infrastructure
Hey Terraform, build me GCP InfrastructureHey Terraform, build me GCP Infrastructure
Hey Terraform, build me GCP Infrastructure
Pradeep Bhadani
 
Altitude SF 2017: Stories from TED
Altitude SF 2017: Stories from TEDAltitude SF 2017: Stories from TED
Altitude SF 2017: Stories from TED
Fastly
 
Nomad Multi-Cloud
Nomad Multi-CloudNomad Multi-Cloud
Nomad Multi-Cloud
Nic Jackson
 
Devoxx 2016 talk: Going Global with Nomad and Google Cloud Platform
Devoxx 2016 talk: Going Global with Nomad and Google Cloud PlatformDevoxx 2016 talk: Going Global with Nomad and Google Cloud Platform
Devoxx 2016 talk: Going Global with Nomad and Google Cloud Platform
Bastiaan Bakker
 
Effective terraform
Effective terraformEffective terraform
Effective terraform
Calvin French-Owen
 
Getting Started with Consul
Getting Started with ConsulGetting Started with Consul
Getting Started with Consul
Ramit Surana
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Andrey Devyatkin
 
Containment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadContainment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on Nomad
Justen Walker
 
HBaseConEast2016: Practical Kerberos with Apache HBase
HBaseConEast2016: Practical Kerberos with Apache HBaseHBaseConEast2016: Practical Kerberos with Apache HBase
HBaseConEast2016: Practical Kerberos with Apache HBase
Michael Stack
 
Openstack study-nova-02
Openstack study-nova-02Openstack study-nova-02
Openstack study-nova-02
Jinho Shin
 
London HUG 8/3 - Nomad
London HUG 8/3 - NomadLondon HUG 8/3 - Nomad
London HUG 8/3 - Nomad
London HashiCorp User Group
 
Microservices with docker swarm and consul
Microservices with docker swarm and consulMicroservices with docker swarm and consul
Microservices with docker swarm and consul
Nguyen Sy Thanh Son
 
Consul: Service-oriented at Scale
Consul: Service-oriented at ScaleConsul: Service-oriented at Scale
Consul: Service-oriented at Scale
C4Media
 
Ground Control to Nomad Job Dispatch
Ground Control to Nomad Job DispatchGround Control to Nomad Job Dispatch
Ground Control to Nomad Job Dispatch
Michael Lange
 
Terraform: An Overview & Introduction
Terraform: An Overview & IntroductionTerraform: An Overview & Introduction
Terraform: An Overview & Introduction
Lee Trout
 
Migratory Workloads Across Clouds with Nomad
Migratory Workloads Across Clouds with NomadMigratory Workloads Across Clouds with Nomad
Migratory Workloads Across Clouds with Nomad
Philip Watts
 
Building Microservices with Spring Cloud and Netflix OSS
Building Microservices with Spring Cloud and Netflix OSSBuilding Microservices with Spring Cloud and Netflix OSS
Building Microservices with Spring Cloud and Netflix OSS
Semih Hakkıoğlu
 
Openstack Scheduler and Scalability Issue
Openstack Scheduler and Scalability IssueOpenstack Scheduler and Scalability Issue
Openstack Scheduler and Scalability Issue
Vigneshvar A.S
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAP
Jesse Pretorius
 
Deploying Docker Containers at Scale with Mesos and Marathon
Deploying Docker Containers at Scale with Mesos and MarathonDeploying Docker Containers at Scale with Mesos and Marathon
Deploying Docker Containers at Scale with Mesos and Marathon
Discover Pinterest
 
Geode on Docker
Geode on DockerGeode on Docker
Geode on Docker
Apache Geode
 
Service Discovery 101
Service Discovery 101Service Discovery 101
Service Discovery 101
Stefan Achtsnit
 
02 terraform core concepts
02 terraform core concepts02 terraform core concepts
02 terraform core concepts
zekeLabs Technologies
 
Divide and conquer: resource segregation in the OpenStack cloud
Divide and conquer: resource segregation in the OpenStack cloudDivide and conquer: resource segregation in the OpenStack cloud
Divide and conquer: resource segregation in the OpenStack cloudStephen Gordon
 
Real-Time Data Processing Pipeline & Visualization with Docker, Spark, Kafka ...
Real-Time Data Processing Pipeline & Visualization with Docker, Spark, Kafka ...Real-Time Data Processing Pipeline & Visualization with Docker, Spark, Kafka ...
Real-Time Data Processing Pipeline & Visualization with Docker, Spark, Kafka ...
Roberto Hashioka
 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database Vault
Stefan Oehrli
 
Professional SQL for Developers
Professional SQL for DevelopersProfessional SQL for Developers
Professional SQL for Developers
Paul Irwin
 

More Related Content

What's hot

Getting Started with Consul
Getting Started with ConsulGetting Started with Consul
Getting Started with Consul
Ramit Surana
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Andrey Devyatkin
 
Containment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadContainment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on Nomad
Justen Walker
 
HBaseConEast2016: Practical Kerberos with Apache HBase
HBaseConEast2016: Practical Kerberos with Apache HBaseHBaseConEast2016: Practical Kerberos with Apache HBase
HBaseConEast2016: Practical Kerberos with Apache HBase
Michael Stack
 
Openstack study-nova-02
Openstack study-nova-02Openstack study-nova-02
Openstack study-nova-02
Jinho Shin
 
London HUG 8/3 - Nomad
London HUG 8/3 - NomadLondon HUG 8/3 - Nomad
London HUG 8/3 - Nomad
London HashiCorp User Group
 
Microservices with docker swarm and consul
Microservices with docker swarm and consulMicroservices with docker swarm and consul
Microservices with docker swarm and consul
Nguyen Sy Thanh Son
 
Consul: Service-oriented at Scale
Consul: Service-oriented at ScaleConsul: Service-oriented at Scale
Consul: Service-oriented at Scale
C4Media
 
Ground Control to Nomad Job Dispatch
Ground Control to Nomad Job DispatchGround Control to Nomad Job Dispatch
Ground Control to Nomad Job Dispatch
Michael Lange
 
Terraform: An Overview & Introduction
Terraform: An Overview & IntroductionTerraform: An Overview & Introduction
Terraform: An Overview & Introduction
Lee Trout
 
Migratory Workloads Across Clouds with Nomad
Migratory Workloads Across Clouds with NomadMigratory Workloads Across Clouds with Nomad
Migratory Workloads Across Clouds with Nomad
Philip Watts
 
Building Microservices with Spring Cloud and Netflix OSS
Building Microservices with Spring Cloud and Netflix OSSBuilding Microservices with Spring Cloud and Netflix OSS
Building Microservices with Spring Cloud and Netflix OSS
Semih Hakkıoğlu
 
Openstack Scheduler and Scalability Issue
Openstack Scheduler and Scalability IssueOpenstack Scheduler and Scalability Issue
Openstack Scheduler and Scalability Issue
Vigneshvar A.S
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAP
Jesse Pretorius
 
Deploying Docker Containers at Scale with Mesos and Marathon
Deploying Docker Containers at Scale with Mesos and MarathonDeploying Docker Containers at Scale with Mesos and Marathon
Deploying Docker Containers at Scale with Mesos and Marathon
Discover Pinterest
 
Geode on Docker
Geode on DockerGeode on Docker
Geode on Docker
Apache Geode
 
Service Discovery 101
Service Discovery 101Service Discovery 101
Service Discovery 101
Stefan Achtsnit
 
02 terraform core concepts
02 terraform core concepts02 terraform core concepts
02 terraform core concepts
zekeLabs Technologies
 
Divide and conquer: resource segregation in the OpenStack cloud
Divide and conquer: resource segregation in the OpenStack cloudDivide and conquer: resource segregation in the OpenStack cloud
Divide and conquer: resource segregation in the OpenStack cloudStephen Gordon
 
Real-Time Data Processing Pipeline & Visualization with Docker, Spark, Kafka ...
Real-Time Data Processing Pipeline & Visualization with Docker, Spark, Kafka ...Real-Time Data Processing Pipeline & Visualization with Docker, Spark, Kafka ...
Real-Time Data Processing Pipeline & Visualization with Docker, Spark, Kafka ...
Roberto Hashioka
 

What's hot (20)

Getting Started with Consul
Getting Started with ConsulGetting Started with Consul
Getting Started with Consul
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
 
Containment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on NomadContainment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on Nomad
 
HBaseConEast2016: Practical Kerberos with Apache HBase
HBaseConEast2016: Practical Kerberos with Apache HBaseHBaseConEast2016: Practical Kerberos with Apache HBase
HBaseConEast2016: Practical Kerberos with Apache HBase
 
Openstack study-nova-02
Openstack study-nova-02Openstack study-nova-02
Openstack study-nova-02
 
London HUG 8/3 - Nomad
London HUG 8/3 - NomadLondon HUG 8/3 - Nomad
London HUG 8/3 - Nomad
 
Microservices with docker swarm and consul
Microservices with docker swarm and consulMicroservices with docker swarm and consul
Microservices with docker swarm and consul
 
Consul: Service-oriented at Scale
Consul: Service-oriented at ScaleConsul: Service-oriented at Scale
Consul: Service-oriented at Scale
 
Ground Control to Nomad Job Dispatch
Ground Control to Nomad Job DispatchGround Control to Nomad Job Dispatch
Ground Control to Nomad Job Dispatch
 
Terraform: An Overview & Introduction
Terraform: An Overview & IntroductionTerraform: An Overview & Introduction
Terraform: An Overview & Introduction
 
Migratory Workloads Across Clouds with Nomad
Migratory Workloads Across Clouds with NomadMigratory Workloads Across Clouds with Nomad
Migratory Workloads Across Clouds with Nomad
 
Building Microservices with Spring Cloud and Netflix OSS
Building Microservices with Spring Cloud and Netflix OSSBuilding Microservices with Spring Cloud and Netflix OSS
Building Microservices with Spring Cloud and Netflix OSS
 
Openstack Scheduler and Scalability Issue
Openstack Scheduler and Scalability IssueOpenstack Scheduler and Scalability Issue
Openstack Scheduler and Scalability Issue
 
OpenStack Keystone with LDAP
OpenStack Keystone with LDAPOpenStack Keystone with LDAP
OpenStack Keystone with LDAP
 
Deploying Docker Containers at Scale with Mesos and Marathon
Deploying Docker Containers at Scale with Mesos and MarathonDeploying Docker Containers at Scale with Mesos and Marathon
Deploying Docker Containers at Scale with Mesos and Marathon
 
Geode on Docker
Geode on DockerGeode on Docker
Geode on Docker
 
Service Discovery 101
Service Discovery 101Service Discovery 101
Service Discovery 101
 
02 terraform core concepts
02 terraform core concepts02 terraform core concepts
02 terraform core concepts
 
Divide and conquer: resource segregation in the OpenStack cloud
Divide and conquer: resource segregation in the OpenStack cloudDivide and conquer: resource segregation in the OpenStack cloud
Divide and conquer: resource segregation in the OpenStack cloud
 
Real-Time Data Processing Pipeline & Visualization with Docker, Spark, Kafka ...
Real-Time Data Processing Pipeline & Visualization with Docker, Spark, Kafka ...Real-Time Data Processing Pipeline & Visualization with Docker, Spark, Kafka ...
Real-Time Data Processing Pipeline & Visualization with Docker, Spark, Kafka ...
 

Similar to How secure are your Terraform sensitive values?

DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database Vault
Stefan Oehrli
 
Professional SQL for Developers
Professional SQL for DevelopersProfessional SQL for Developers
Professional SQL for Developers
Paul Irwin
 
C19013010 the tutorial to build shared ai services session 2
C19013010 the tutorial to build shared ai services session 2C19013010 the tutorial to build shared ai services session 2
C19013010 the tutorial to build shared ai services session 2
Bill Liu
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Rod Soto
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
Prabath Siriwardena
 
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
ScyllaDB
 
backgroundcommunicationandwaitevents-180124221026.pdf
backgroundcommunicationandwaitevents-180124221026.pdfbackgroundcommunicationandwaitevents-180124221026.pdf
backgroundcommunicationandwaitevents-180124221026.pdf
ssuser785ce21
 
Database security best_practices
Database security best_practicesDatabase security best_practices
Database security best_practicesTarik Essawi
 
Securing Millions of Devices
Securing Millions of DevicesSecuring Millions of Devices
Securing Millions of Devices
Kai Hudalla
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
Andrey Devyatkin
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
Amazon Web Services
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101fangjiafu
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Andrejs Prokopjevs
 
I pushed in production :). Have a nice weekend
I pushed in production :). Have a nice weekendI pushed in production :). Have a nice weekend
I pushed in production :). Have a nice weekend
Nicolas Carlier
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers dofangjiafu
 
Data Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet EncryptionData Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet Encryption
Databricks
 
Cloudify workshop at CCCEU 2014
Cloudify workshop at CCCEU 2014 Cloudify workshop at CCCEU 2014
Cloudify workshop at CCCEU 2014
Uri Cohen
 

Similar to How secure are your Terraform sensitive values? (20)

DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database Vault
 
Professional SQL for Developers
Professional SQL for DevelopersProfessional SQL for Developers
Professional SQL for Developers
 
C19013010 the tutorial to build shared ai services session 2
C19013010 the tutorial to build shared ai services session 2C19013010 the tutorial to build shared ai services session 2
C19013010 the tutorial to build shared ai services session 2
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Introduction to threat_modeling
Introduction to threat_modelingIntroduction to threat_modeling
Introduction to threat_modeling
 
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
 
backgroundcommunicationandwaitevents-180124221026.pdf
backgroundcommunicationandwaitevents-180124221026.pdfbackgroundcommunicationandwaitevents-180124221026.pdf
backgroundcommunicationandwaitevents-180124221026.pdf
 
Database security best_practices
Database security best_practicesDatabase security best_practices
Database security best_practices
 
Securing Millions of Devices
Securing Millions of DevicesSecuring Millions of Devices
Securing Millions of Devices
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
 
I pushed in production :). Have a nice weekend
I pushed in production :). Have a nice weekendI pushed in production :). Have a nice weekend
I pushed in production :). Have a nice weekend
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers do
 
Data Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet EncryptionData Security at Scale through Spark and Parquet Encryption
Data Security at Scale through Spark and Parquet Encryption
 
Cloudify workshop at CCCEU 2014
Cloudify workshop at CCCEU 2014 Cloudify workshop at CCCEU 2014
Cloudify workshop at CCCEU 2014
 

More from Marko Bevc

Using HCP Waypoint
Using HCP WaypointUsing HCP Waypoint
Using HCP Waypoint
Marko Bevc
 
Efficient Kubernetes scaling using Karpenter
Efficient Kubernetes scaling using KarpenterEfficient Kubernetes scaling using Karpenter
Efficient Kubernetes scaling using Karpenter
Marko Bevc
 
Nodeless scaling with Karpenter
Nodeless scaling with KarpenterNodeless scaling with Karpenter
Nodeless scaling with Karpenter
Marko Bevc
 
Seamless scaling of Kubernetes nodes
Seamless scaling of Kubernetes nodesSeamless scaling of Kubernetes nodes
Seamless scaling of Kubernetes nodes
Marko Bevc
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?
Marko Bevc
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?
Marko Bevc
 
Terraform 0.13: Rise of the modules
Terraform 0.13: Rise of the modulesTerraform 0.13: Rise of the modules
Terraform 0.13: Rise of the modules
Marko Bevc
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?
Marko Bevc
 
Commodified IaC using Terraform Cloud
Commodified IaC using Terraform CloudCommodified IaC using Terraform Cloud
Commodified IaC using Terraform Cloud
Marko Bevc
 

More from Marko Bevc (9)

Using HCP Waypoint
Using HCP WaypointUsing HCP Waypoint
Using HCP Waypoint
 
Efficient Kubernetes scaling using Karpenter
Efficient Kubernetes scaling using KarpenterEfficient Kubernetes scaling using Karpenter
Efficient Kubernetes scaling using Karpenter
 
Nodeless scaling with Karpenter
Nodeless scaling with KarpenterNodeless scaling with Karpenter
Nodeless scaling with Karpenter
 
Seamless scaling of Kubernetes nodes
Seamless scaling of Kubernetes nodesSeamless scaling of Kubernetes nodes
Seamless scaling of Kubernetes nodes
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?
 
Terraform 0.13: Rise of the modules
Terraform 0.13: Rise of the modulesTerraform 0.13: Rise of the modules
Terraform 0.13: Rise of the modules
 
Who is afraid of privileged containers ?
Who is afraid of privileged containers ?Who is afraid of privileged containers ?
Who is afraid of privileged containers ?
 
Commodified IaC using Terraform Cloud
Commodified IaC using Terraform CloudCommodified IaC using Terraform Cloud
Commodified IaC using Terraform Cloud
 

Recently uploaded

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
QuickwayInfoSystems3
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
abdulrafaychaudhry
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 

Recently uploaded (20)

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 

How secure are your Terraform sensitive values?

  • 1.
  • 2. HOW SECURE ARE YOUR TERRAFORM SENSITIVE VALUES?_ Marko Bevc
  • 3. SECURE ENOUGH?_ “Security through obscurity should never be the only security mechanism!”
  • 4. ABOUT ME_ ● Senior Consultant at The Scale Factory (DevOps consultancy, AWS advanced consulting partner and K8s service provider) ● Ops background: Senior IT infrastructure engineer and System Architect (extensive Linux and virtualization experience) ● Certifications and competencies: AWS, CKA, RHEL, HCTA ● Open source contributor and supporter ● Fan of automation/simplifying things, hiking, cycling and travelling @_MarkoB https://www.linkedin.com/in/marko-bevc/
  • 5. TOPICS COVERED_ ● Terraform workflows (security aspect and exposure, attack vector and risks) ● Sensitive values leaks & prevention ● Demo and code examples ● Conclusions and takeaways
  • 7. WORKFLOWS EXPOSURE_ • Workflow types: –CLI (OSS binary) and wrappers (TerraGrunt) –Automated pipeline runs (Atlantis, GitHub Actions, CircleCI) –Managed SaaS offering (TFC) • Results in shift of exposure points: –code and repository –state/lock –execution environment and sensitive values –security perimeter & responsibility!
  • 8. SECRETS IN CODE_ • Most “obvious” pitfall to avoid • Hard-coded secretes/ sensitive values in code • Terraform repository scanning, code reviews and good team security awareness/culture • Remediation: – Dynamically inject from environment – Stored externally in a sealed environment (Vault/HCP, AWS SecretsManager/SSM, Google, etc.) with encryption at rest + transit – Randomization to reduce risk points (human factor*) • Is this enough? #1
  • 9. KEEPING STATE SECURE_ ● More interesting and most important security aspect ● Even if using external secrets (injected or secure solution) Terraform needs to keep state current in order to detect changes ● Solution: ensure state is safe (encryption at rest/transit and access control) ● Native encryption in the state is hard - deprecated! #2
  • 10. OUTPUT AND AUDIT TRAIL_ • Usually forgotten • Logging and backups can also reveal sensitive information • Terraform 0.14+ has a concept of ‘sensitive’ values (variables, providers), but it is not encrypting or obscuring it in the state! • Responsibility might differ in workflows • Keeping clean logs and trails is a good practice (also personal information) • Also don’t forget about log encryption and control access #3
  • 11. variable "db-pass" { type = string description = "Default DB password" default = null sensitive = true } resource "aws_db_instance" "db" { allocated_storage = 10 allow_major_version_upgrade = true apply_immediately = true storage_type = "gp2" engine = "mariadb" engine_version = "10.5" instance_class = "db.t2.micro" name = "mydb" username = "username" password = var.db-pass skip_final_snapshot = true } example.tf
  • 13. CONCLUSIONS_ & TAKEAWAYS ● Security is hard! ● Protect your crown jewels: – repository code – state – output/logs ● Use multiple layers of security, scan code and defence in depth (tfsec, checkov, AWS Config, Cloud custodian, Prowler) ● Familiarise people with responsibilities and procedure - not just technical problem ● Avoid weak links in the IaC security chain
  • 14. ● Resources: – https://www.scalefactory.com/blog/2020/12/02/are-we-there-yet-terraform-0.14/ – https://www.terraform.io/docs/extend/best-practices/sensitive-state.html – https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code- 1d586955ace1 – https://geekflare.com/aws-vulnerability-scanner/ – https://thorsten-hans.com/six-golden-rules-of-infrastructure-as-code-iac – https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html – https://www.terraform.io/cloud – https://www.vaultproject.io/ – https://www.hashicorp.com/cloud-platform FURTHER READING_