Cloud Security Term: Infrastructure as Code (IaC)

Within the last 15 years, cloud computing has become a must-have for almost every company developing or using software. As an increasing number of organizations rely on cloud services or even start shifting to go full cloud-native, cloud security has become a hot topic in the security community. Due to the recent advance of cloud security, the different cloud security terms are not used consistently, leaving their meaning unclear.

Our article series on cloud security will walk you through the most common cloud security terms.

What is IaC?

Infrastructure as Code is a technique to automate the definition, provisioning, and management of your cloud infrastructure (e.g., network components, servers, virtual machines (VM), containers, load balancers) through textual code using the principles of traditional software development.

As explained by Kief Morris in the book Infrastructure as Code, 2nd Edition:

Infrastructure as Code is an approach to infrastructure automation based on practices from software development. It emphasizes consistent, repeatable routines for provisioning and changing systems and their configuration.

What problems does IaC solve?

Before automated IaC tools became popular, admins managed the entire infrastructure manually by installing and configuring each system individually. This manual process led to a set of different problems:

1. It was difficult to maintain and re-deploy the infrastructure without the responsible team members.
2. It was almost impossible to track all changes made manually when troubleshooting issues.
3. As the setup process was done manually, test suits to validate changes before deployment were rare.
4. The entire process to set up and maintain the infrastructure was documented in handbooks, making onboarding new team members time-consuming.

What are the benefits of IaC?

IaC helps organizations to solve these problems by “programming” the steps to provision and maintain the infrastructure in the form of templates and executable scripts. These templates and scripts are treated the same way as source code and put in version control systems like git, leading to the following benefits:

1. Version controlling: Changes in the infrastructure can be easily tracked, reverted, archived, reviewed as pull requests and commits.
2. Reproducibility: The same infrastructure can be re-produced easily by executing the IaC templates and scripts, avoiding inconsistency issues caused by manual setups.
3. Documentation: IaC templates are self-documenting, omitting the need to write and update handbooks.

IaC Tools

There are several tools in the market that help provision, replicate, and manage complex infrastructures, speeding up DevOps exponentially. Popular IaC tools are

• AWS CloudFormation: AWS CloudFormation is a tool exclusively for the AWS cloud for creating, provisioning, and managing AWS cloud resources in JSON or YAML files.
• Terraform is an open-source tool that supports multiple cloud providers. A special feature are terraform plans. Terraform plans allow comparing the current state of an infrastructure to the desired state and automatically computes the required update steps.
• Ansible provides support for provisioning, configuration, deployment, orchestrating multiple complex systems. IaC templates are written in so-called Ansible playbooks.
• Chef is an orchestration tool that provides a Domain Specific Language (DSL) based on Ruby programming language. IaC templates are written in so-called recipes (resource definitions and assignments) and cookbooks (defined with recipes, templates, resources, files).

Best Practices

1. Source control your IaC: Treat IaC similar to application code and put everything under source control.
2. IaC integrate into your CI/CD pipeline: Continuously test and deploy IaC templates as part of your CI/CD pipelines.
3. Separating IaC and application code: Separate IaC and application code such that both can evolve independently.
4. Immutable IaC: Any changes made to IaC templates should be deployed directly to avoid drift between the IaC templates and the deployed infrastructure. Also, manual changes to the infrastructure should be avoided if possible.

Security Considerations

Dangerous network configurations or erroneous permissions in cloud resources may expose critical assets to attackers. Security teams must continuously check IaC templates for security issues without this becoming a hurdle to the pace of DevOps teams. Typical security issues to be checked are:

1. Over-Permissioned Cloud Resources and Code: Cloud resources and code should only have the permissions they need to perform their tasks. Over-Permissioned cloud resources can be abused by attackers to escalate permissions.
2. Storing sensitive information in IaC: Sensitive information like authorization tokens, SSH keys, and passwords should not be hard-coded in IaC templates and environment variables. Instead, they should be stored in a secret vault, e.g., AWS Key Management Service.
3. IaC Misconfigurations: Common misconfigurations like public accessible storage, public SSH port 22, public RDP port 3389, or disabled logging that lead to insecure deployments and worst case to data breaches.

Final Thoughts

Infrastructure as Code makes infrastructure configuration and provision flexible and self-explanatory by treating the infrastructure the same way as source code. This enables faster, frequent deployments with secure, error-free processes.