Inside the Briefcase

Augmented Reality Analytics: Transforming Data Visualization

Augmented Reality Analytics: Transforming Data Visualization

Tweet Augmented reality is transforming how data is visualized... Membership! Membership!

Tweet Register as an member to unlock exclusive...

Women in Tech Boston

Women in Tech Boston

Hear from an industry analyst and a Fortinet customer...

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

In this interview, JumpCloud’s Antoine Jebara, co-founder and GM...

Tips And Tricks On Getting The Most Out of VPN Services

Tips And Tricks On Getting The Most Out of VPN Services

In the wake of restrictions in access to certain...

Improve IaC Security & Compliance: A Terrascan Guide

January 12, 2024 No Comments

by Jeff Broth

Terrascan is an open-source tool designed to examine Infrastructure-as-Code deployments for possible issues concerning security and compliance. While it shares a part of its name with the popular IaC tool Terraform, it is not related to it. Terraform is from HashiCorp while Terrascan is from Accurics, a tech company specializing in infrastructure automation software.

Focusing on security and compliance checks, Terrascan scans IaC code in different languages including Terraform, Dockerfile, Kubernetes, Kustomize, and Helm. Additionally, it is designed to integrate with several cloud-native technologies and orchestration tools like GCP, AWS, and Azure. Terrascan detects violations of security policies and compliance requirements to address risks before proceeding with infrastructure provisioning.

Security for IaC

This Terrascan guide presents important details on what Terrascan does, its features, and the benefits of using it. Terrascan is designed to scrutinize code for deviations from best practices as it detects more than 500 policies and evaluates them for security risks. The tool can run locally or be integrated into the continuous integration and continuous deployment pipeline for automated operation.

It is important to emphasize, though, that Terrascan does not replace the security solutions used to protect IaC. It is a specialized tool that serves as a component of the overall security strategy of IaC configuration and management. It is a supplement, not a supplanting mechanism. It operates in conjunction with other IaC tools to ascertain that infrastructure is built following best practices and applicable regulations.

To maximize the capabilities of Terrascan, consider the following pointers.

Embrace Policy-as-Code

Terrascan supports the implementation of Policy-as-Code (PaC), wherein security policies are set as part of the IaC scripts. This ensures the compulsory and consistent implementation of security measures across the infrastructure. Through declarative language, it becomes a straightforward process expressing policies including access controls, encryption requirements, and naming conventions.

To be clear, Terrascan itself is not directly involved in PaC implementation. It is more of a tool that helps in making sure that the resulting code is compliant with security policies and regulatory requirements. The security policies will be defined with Terraform or other IaC tools but Terrascan evaluates the resulting scripts to make sure that they translate to security benefits.

Conduct pre-deployment checks

Terrascan is an excellent tool for pre-deployment validation. It can detect security issues and deviations from compliance requirements in IaC scripts before changes are deployed to the infrastructure. Doing this ensures that most if not all of the errors or problems are caught and remedied before deployment happens, which significantly decreases the chances of misconfigurations and other issues.

Pre-deployment inspection with Terrascan checks for issues in authentication and authorization, the management of secrets, resource dependencies, and variables, as well as error handling. It can also examine naming conventions to ensure clarity and consistency. Additionally, it performs tests for compliance with predefined policies and the validation of configurations for every resource type in connection with a cloud provider’s documentation to make sure that parameters are valid and in line with requirements.

Use custom policies

Terrascan examines Terraform files by default. To specifically scan files in other languages, a flag (-i) will have to be appended to the command: -u k8s for Kubenetes, -i dockerfile for Dockerfile, etc. It also comes with predefined policies reflecting common security best practices. However, Terrascan provides the option for customization.

Users can generate custom policies to match specific requirements or scenarios that are unique to their respective organizations. This ensures that Terrascan has enough flexibility to be useful regardless of the standards and security strategies being enforced. Before creating custom policies, though, it is necessary to install the OPA binary.

Integrate into the CI/CD pipeline

Terrascan can integrate with tools used in continuous integration and continuous deployment. It can integrate with the Kubernetes Admission Controller, Argo CD, GitHub, and GitLab. The steps for integration vary depending on the tools used, but essentially, Terrascan has to be installed in the environment where the CI/CD pipeline runs, have the policies configured, and set up output and reporting.

For those that are using Terraform for infrastructure provisioning, it is advisable to integrate the Terrascan step (in Terraform Apply) before the application of changes. Doing this ensures code security and compliance as part of the process. It guarantees automatic scanning and continuous infrastructure monitoring.

Regularly update Terrascan definitions

Terrascan definitions must be regularly updated to ensure the accuracy and effectiveness of security and compliance inspections. The updates typically include the addition of new security checks to include the latest information on emerging threats and newly discovered vulnerabilities and configuration issues. Also, the updates reflect the support for new IaC constructs, which are inevitable as IaC tools evolve and gain new functions. Additionally, the updates bring the definitions in line with the introduction of bug fixes and changes in compliance standards.

Similar to the CI/CD pipeline integration, the methods for updating Terrascan definitions vary depending on the package manager or deployment method employed. It is important to consult the official release notes or documentation of Terrascan for the appropriate steps in implementing updates.

Enhance collaboration with Terrascan

Terrascan can unify security policies and compliance requirements since it can be applied to different configurations while carrying the same rules and standards. It acts as a common ground for decisions and discussions on how to go about security and compliance, allowing organizations to have a shared understanding and implementation of infrastructure security.

However, it is important to emphasize the need for Terrascan users to be adequately familiar with the different output formats of Terrascan. Users should know how to interpret and use the outputs of the tool, be it JSON, JUnit, or other formats, to ensure effective collaboration.

Regularly go over Terrascan reports

Terrascan produces various reports that provide useful insights regarding security and compliance. It is inexpedient to disregard these reports because they provide useful information to help identify trends, detect common issues, and determine areas that need to be improved. These reports serve as a convenient feedback loop that promotes security enhancements and improvements in security practices.

Moreover, aside from updating Terrascan definitions, it is also important to be up to date with the latest features, changes, and releases of Terrascan. It would be impossible to make optimum use of the tool without the knowledge of its changes and improvements.

Ensuring security and compliance

Terrascan is a useful tool in the security aspect of infrastructure-as-code management. However, as a tool, it does not address all issues with its default operation, let alone autonomously present to users its vital functions that may be underused or completely ignored. It is crucial to get sufficiently acquainted with the tool to take full advantage of all its features and have a meaningful impact on IaC security and compliance.

Terrascan can provide a major contribution to IaC security through pre-deployment inspections, CI/CD pipeline integration, and custom policies. It is important to maximize these functions with purposeful configuration and the habit of regularly updating Terrascan definitions and reviewing reports. Also, users should bear in mind the collaboration benefit of the tool as it serves as a tool for unifying security policies and compliance.

Sorry, the comment form is closed at this time.