Home SecurityCloud Security Infrastructure-as-code templates are the source of many cloud infrastructure weaknesses

Infrastructure-as-code templates are the source of many cloud infrastructure weaknesses

by ethhack

In the age of cloud computing where infrastructure needs to be extended or deployed rapidly to meet ever-changing organizational needs, the configuration of new servers and nodes is completely automated. This is done using machine-readable definition files, or templates, as part of a process known as infrastructure as code (IaC) or continuous configuration automation (CCA).

A new analysis by researchers from Palo Alto Networks of IaC templates collected from GitHub repositories and other places identified almost 200,000 such files that contained insecure configuration options. Using those templates can lead to serious vulnerabilities that put IaC-deployed cloud infrastructure and the data it holds at risk.

“Just as when you forget to lock your car or leave a window open, an attacker can use these misconfigurations to weave around defenses,” the researchers said. “This high number explains why, in a previous report, we found that 65% of cloud incidents were due to customer misconfigurations. Without secure IaC templates from the start, cloud environments are ripe for attack.”

Widespread IaC problems

There are multiple IaC frameworks and technologies, the most common based on Palo Alto’s collection effort being Kubernetes YAML (39%), Terraform by HashiCorp (37%) and AWS CloudFormation (24%). Of these, 42% of identified CloudFormation templates, 22% of Terraform templates and 9% of Kubernetes YAML configuration files had a vulnerability.

Palo Alto’s analysis suggests that half the infrastructure deployments using AWS CloudFormation templates will have an insecure configuration. The report breaks this down further by type of impacted AWS service — Amazon Elastic Compute Cloud (Amazon EC2), Amazon Relational Database Service (RDS), Amazon Simple Storage Service (Amazon S3) or Amazon Elastic Container Service (Amazon ECS).

For example, over 10% of S3 storage buckets defined in templates were publicly exposed. Improperly secured S3 buckets has been the source of many publicly reported data breaches in the past.

Copyright © 2020 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment