BLOG


April 16, 2020
Security risks using IaC templates: Real-world scenarios
By: Matt Chiodi

In their most recent Cloud Threat Report, Palo Alto Networks’ Unit 42 global threat intelligence researchers completed an industry-first study of infrastructure as code (IaC) templates. While the name implies something deeply technical (the topic certainly can be), these templates are simply a new way of creating cloud infrastructure through code. They are building blocks for creating compute, storage, networking, security policy or just about anything in a cloud environment.

DevOps teams have rapidly adopted these templates as a way to automate the building of cloud infrastructure as well as increase the pace of feature delivery. However, there is a catch. Unit 42 researchers found over 200,000 insecure templates in use. The implications for businesses using IaC are profound. The researchers found that “while IaC offers security teams a predictable way to enforce security standards, this powerful capability remains largely unharnessed.”

What the Cloud Threat Report says

  • 42 percent of CloudFormation templates (CFT) contain at least one insecure configuration.
  • 48 percent of AWS S3 buckets do not have server-side encryption enabled.
  • 55 percent of cloud user-configured S3 buckets do not have logging enabled.

Let’s look at what possible scenarios could play out if DevOps and security teams fail to scan IaC templates for security issues prior to deployment.

Real world scenario #1: Millions of patient records exposed

DevOps teams are constantly looking for an edge that will allow them to complete their sprints on time, with the least amount of friction from security and other teams. In order to accomplish this, Jim, a member of the DevOps team in a healthcare technology company, finds a CFT on GitHub. This CFT enables rapid creation of a three-tier web application. With this massive time saver in hand, Jim only needs to make small customizations to make it work in their AWS environment. With only 28 days left to deliver the application to the customer, the CFT is reused across development, staging and production environments.

Unknown to Jim as well as the security team is that the template has several fatal flaws. The first is that it was coded to intentionally allow public S3 storage access to a development bucket but was never modified for production. On top of this exposure, the template also disables server-side encryption as well as storage logging. Despite the security team running a legacy vulnerability scanner against the app in staging, it doesn’t detect these cloud-native issues. The company is later found to have exposed 10 million patient records, resulting in millions of dollars in fines as well as brand damage and the loss of several key contracts.

What the data says

  • 22 percent of all Terraform configuration files contained at least one insecure configuration.
  • 26 percent of cloud user-configured AWS EC2 instances have SSH (port 22) exposed to the Internet.
  • 17 percent of cloud user-configured AWS Security Groups allow ALL inbound traffic (0.0.0.0/0).

Real world scenario #2: Full administrative access

Sarah is cloud lead for a global manufacturing company that over the past two years has moved several applications to the cloud. Given the requirements of the various business units, they don’t operate in just one cloud but three: Google, Azure and AWS. In order to standardize their IaC templates, they selected Hashicorp’s Terraform because it supports for all three platforms.

Under normal conditions, all remote access connectivity to the company's cloud environments is routed through the on-premise VPN infrastructure. However, when the coronavirus forces the entire global workforce to instantly become remote workers, the VPN infrastructure cannot scale. Sarah confers with her team and they decide to temporarily open SSH and RDP from the Internet to their cloud bastion hosts. Sarah is able to accomplish this quickly by using a Terraform template she found on GitHub. With a single commit, the change is made globally.

Several months later, the finance department is alerted to an exponential spike in the monthly cloud bills. After further investigation, Sarah and her team made two interesting discoveries. Although they scanned their SSH servers for vulnerabilities prior to making the change, a new zero-day vulnerability had been released. An attacker leveraged this vulnerability in SSH, installed cryptomining software, and spun up massive amounts of compute, all at the company's expense. They also realized that although opening up SSH and RDP to the entire Internet was meant to be temporary, they simply forgot to remove the access. Due to not continuously monitoring all of their cloud environments and CI/CD pipeline for active threats, Sarah’s organization must now deal with a large financial loss. On top of the financial hit, they must also involve external incident response services to determine what else the attacker might have found with full administrative access.

Lower security risk with cloud-native security platforms

Both of the above scenarios highlight real-world ways DevOps teams are using IaC templates. When organizations don’t have a complete view across all of their cloud environments, including their development pipelines, simple misconfigurations often manifest themselves in unfortunate ways.

Organizations can avoid many of these issues by leveraging Cloud Native Security Platforms (CNSPs). CNSPs provide DevOps and Security teams a single platform they can both use to protect any resource in any cloud. Unlike the traditional security products DevOps teams often detest due to their lack of integration in CI/CD pipelines, CNSPs easily integrate with most development tools and have an open API around which developers can easily build.

Leading this space is Prisma Cloud from Palo Alto Networks. It is a comprehensive Cloud Native Security Platform with the industry’s broadest security and compliance coverage—for applications, data and the entire cloud native technology stack—throughout the development lifecycle across hybrid and multi-cloud environments.

For more, please read our recent Multi Cloud White Paper.

For an Accenture Cloud Security Diagnostic Review, please contact:

North America: Andrew Winkelmann (andrew.winkelmann@accenture.com)

Europe: Carlo Gebhardt (carlo.gebhardt@accenture.com)

Growth Markets: Andreas Kafka (andreas.kafka@accenture.com)

General Inquiries: Daniel Mellen (daniel.mellen@accenture.com)

Mark Rauchwarter (mark.n.rauchwarter@accenture.com)



Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates.

Copyright © 2020 Accenture. All rights reserved.

Popular Tags

    More blogs on this topic

      Archive