Over the past several years I’ve read numerous horror stories about cloud deployments gone wrong. S3 buckets with PCI data left open to the raw Internet, EC2 instance profiles that weren’t scoped properly, misconfigured NSGs, etc. It takes a LOT of time to truly understand all the ins and outs of running workloads in the cloud, and making sure you get it “right”. This is one reason I’m always on the lookout for tools that can add additional guard rails to the infrastructure provisioning process.
One super cool tool I came across 6-months ago is is terrascan. This awesome piece of software can help you find security and policy violations in your IAC repos, and help ensure that the most common problems are corrected before they become actual problems.
Using terracan is a breeze. You can run the terrascan binary with the scan option, and point it to the directory to scan with the “–iac-dir” option:
$ terrascan scan --iac-dir environment/testing/services/vault
Violation Details -
Description : Ensure that detailed monitoring is enabled for EC2 instances.
File : ../../../../terraform/modules/aws/ec2-instance/main.tf
Module Name : ec2_instances
Plan Root : ./
Line : 1
Severity : HIGH
-----------------------------------------------------------------------
Description : EC2 instances should disable IMDS or require IMDSv2 as this can be related to the weaponization phase of kill chain
File : ../../../../terraform/modules/aws/ec2-instance/main.tf
Module Name : ec2_instances
Plan Root : ./
Line : 1
Severity : MEDIUM
-----------------------------------------------------------------------
Scan Summary -
File/Folder : ./environments/testing/services/vault
IaC Type : terraform
Scanned At : 2022-05-08 18:52:07.496177557 +0000 UTC
Policies Validated : 5
Violated Policies : 2
Low : 0
Medium : 1
High : 1
The output will contain a list of violations, ranked from HIGH to LOW. Each violation is documented on the terrascan website, which also contains links to reference material. Terrascan policies are written in Rego, so you can easily extend the base functionality with custom policies. It also integrates easily with CI, so you get an extra set of eyes for free!