Security in IaC

Dear Friend,

IaC allows us to automate the infrastructure with speed. But when writing infrastructure as code, there's possibility for security misconfigurations.

So, what we can do ?

We can use tools like Checkov to make sure there's no surprises.

How to get started with Checkov ?

• Sign-in to Checkov
• Navigate to Integrations --> API TOKENS --> Add Token --> Under Token name text box enter a string that you desire such as development, testing --> Click Create --> A Token would be generated like the one illustrated here.

• Open Visual studio and navigate to extensions and search for "Checkov" and install the extension.

• Go to Checkov settings and add the API Token generated at Checkov's website

Now you can scan your code against pre-built policies that Checkov provides and in addition you can also write your own custom policy.

Let's see an example which uses built in policies.

The main.tf illustrated below requires a new VPC.

After saving the terraform, checkov extension scanned the code and throws the below message

Then I fixed the medium level policy error by implementing VPC flow logging. And I suppressed the low level policy error.

The below illustration is after fix, Checkov didn't report any policy error now.

What's Next ?

Experiment checkov at your end and share your comments.

You can integrate Checko with CI tools such as GitLab, GitHub Actions ( Link has samples )