New IaC security workshop from Snyk, HashiCorp, and AWS at KubeCon Europe 2023 and on-demand

When the concept of DevSecOps comes up in conversation, it’s easy to assume that it’s mainly about proprietary application code and third-party components. But nowadays, code isn’t only used to create the applications themselves. Infrastructure as code (IaC) also uses code to spell out everything that houses development activities — the servers, storage, etc. that run behind the scenes. Rather than using physical servers and storage, teams store all infrastructure resource configurations within editable text files. IaC is a game-changer for development teams, as it prevents configuration drift and automates previously-manual processes that used to take up time and resources. 

But similar to other code-based projects, IaC can become a huge security risk. Today’s teams often value speed over security, meaning they could easily send misconfigured or overly-permissive IaC into the wild by accident. Fortunately, it’s entirely possible to create IaC that’s both secure and agile. It just takes the right combo of tools, processes, and culture. 

New workshop from Snyk, HashiCorp Terraform, and AWS 

To show how to implement IaC security with a specific suite of tools, experts from Snyk, HashiCorp, and Amazon Web Services (AWS) created a new workshop that demonstrates how a security tool, an infrastructure as code solution, and a cloud provider can come together to deliver a seamless experience for developers. 

For a guided walkthrough with experts from AWS, HashiCorp and Snyk are presenting this workshop at KubeCon Europe 2023 on Tuesday, April 18 from 14:30 — 16:30 CEST. Sign up for this free, co-located virtual event. And if you can't make it to KubeCon Europe, take the workshop on-demand.

Snyk and HashiCorp

HashiCorp empowers development teams to provision, secure, connect, and run applications that drive innovation. It offers a suite of multi-cloud infrastructure automation products, including Terraform Cloud — an automation solution that enables developers to provision, change, and version their resources in any environment.

With Snyk, HashiCorp users can better secure their IaC environments against growing cloud threats without slowing down the massive innovation offered by HashiCorp’s automation tools. 

Snyk and AWS 

AWS boasts nearly 1.5 million users and more than 200 fully-featured services. AWS CodeBuild, in particular, is frequently used by developers to automate IaC deployments. Snyk is an AWS Partner Network (APN) Advanced Technology Partner with AWS Competencies in DevOps and Security.

By using Snyk alongside their AWS pipeline, developers can easily integrate security into their existing workflows with an easy and familiar configuration. 

How to set up Snyk, HashiCorp, and AWS

The on-demand AWS workshop sets up these three solutions and to operate a seamless, end-to-end experience for IaC creation, deployment, and security. Explore the main parts of the workshop below: 

Configuration

First, users needed to install and configure the correct solutions for this integration. To follow along with this walkthrough, users need the following:

• An AWS account in a region that supports:

  • AWS CodeCommit

  • AWS CodeBuild

  • AWS CodePipeline

  • Amazon EC2

  • Amazon S3

• A Snyk account with a Team or higher plan

• Snyk Cloud configured and enabled to integrate with your AWS Account

• The following software installed onto your workstation:

  • The HashiCorp TerraformCLI 

  • The Snyk CLI 

  • The AWS CLI configured to operate on your desired region

• An AWS user role with the AWSCodeCommitPowerUser policy attached to the user

• A GitHub account for forking your edits and commits in a public repository

Snyk IaC 

After setting up their environment, the workshop shows how to use Snyk to discover and remediate an IaC misconfiguration. To create IaC with security issues, you can clone a repository with a misconfigured EC2 instance. Then, run Snyk IaC by typing a single command in the AWS CodeBuild repository. Within a few seconds, you will see three medium-level security issues and contextual information for each one. 

Next, learn how to remediate the IaC misconfigurations by following the tool’s built-in remediation guidance. Finally, sync these results with Snyk, so that the Snyk UI is up-to-date. 

Terraform HashiCorp

In this stage, the workshop includes a Terraform HashiCorp exercise using the same EC2 instance with those three medium-level issues. First, users are guided to integrate Terraform Cloud, AWS, and Snyk so they can interact with each other. Next, users will be able to look at an existing repository branch, exploring how Terraform appeared within their native CLI.

Then, users can Terraform Cloud and run a plan command to see upcoming changes and experience how to remediate those three medium-level issues with Snyk. 

Biggest takeaways from this workshop

Throughout this workshop, experts from AWS, Snyk, and HashiCorp demonstrate the power of working together. See how these use different but equally powerful tools can be used to build an automated pipeline for secure infrastructure as code. Each tool — AWS CodeBuild, Hashicorp Terraform, and Snyk IaC — make the IaC pipeline more automated, agile, and secure. Some of the biggest takeaways from this workshop:

• Terraform is an invaluable tool for deploying IaC. It only takes seconds to deploy AWS resources with Terraform. So clearly, automated IaC tooling is here to stay, as it beats out manual provisioning in speed and accuracy.

• IaC misconfigurations are common. But as powerful as IaC tooling is, it still doesn’t catch common security problems. In this workshop, Snyk IaC flags a few medium-level IaC vulnerabilities. These security issues show that the settings in an IaC environment are often insecure by default.

• Security tools need to fit within developers’ workflows. Risk discovery and remediation should take minimal time and effort. After all, development teams have lots of other tasks on their plates as it is. In this workshop, it only takes typing a single command line to set off a security scan. And this scan returns results within seconds. 

• Remediation guidance is an essential part of security tooling. Tools need to go beyond just reporting misconfigurations. They also need to provide step-by-step remediation instructions so developers can easily apply fixes, then get right back to coding.

If you’d like to learn more about automating and securing IaC with HashiCorp, Snyk, and AWS, check out this recent AWS Immersion Day. And you can follow along with our step-by-step text version of the workshop too!