Infrastructure-as-code security issues could put cloud platforms everywhere at risk

Hackers can attack tools helping manage cloud infrastructure and policies

· TechRadar

News By Sead Fadilpašić published 27 November 2024

OpenVPN-protokollet - därför är det så bra (Image credit: Shutterstock)
  • Security researchers discussed vulnerabilities in Infrastructure-as-code (IaC)
  • There are a number of different ways crooks could abuse the systems
  • Issues also share defense mechanisms and workarounds

Security issues with infrastructure-as-code (IaC) and policy-as-code (PaC) specialized tools could put entire platforms, everywhere, at risk, experts have warned.

A report from cybersecurity researchers at Tenable have revealed how certain tools used to help manage cloud infrastructure and policies, such as Terraform and Open Policy Agent (OPA), could be hijacked and put to malicious use.

These tools use simplified coding languages which should make them safer than regular programming languages, but they’re still not without their flaws.

How to defend

“Since these are hardened languages with limited capabilities, they’re supposed to be more secure than standard programming languages – and indeed they are. However, more secure does not mean bulletproof,” the researchers said.

Discussing OPA, Tenable explained that it is a product that allows organizations to enforce rules, or policies, for managing cloud resources. It uses a language called Rego for these rules. Should a threat actor steal an access key, they would be able to add a fake Rego policy, approving malicious activity such as stealing sensitive data.

Terraform, on the other hand, helps companies define and manage cloud setups through code. Since it processes commands during workflows, it allows hackers to inject malicious code into the processes, which the tool then runs before anyone could notice. In theory, crooks could add a fake “data source” that results in malicious activity.

To protect against these attacks, researchers suggest teams use role-based access control (RBAC) to give people the minimum permissions they need, log actions at the application and cloud level for easier detection of suspicious behavior, and limit what apps and machines can access in terms of data and networks.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors