How to Harden IaC Security with KICS
yayabobi
Posted on July 29, 2024
Imagine your entire infrastructure breaks down because of a tiny mistake in a configuration. That's the kind of risk businesses face with Infrastructure as Code. IaC makes it easy to set up and manage cloud resources but also brings significant security risks, mostly from misconfigurations.
98% of companies work with at least one vendor that suffered a data breach in the last two years. Even more worrying, in just the first three quarters of 2023, one in four people in the US had their health data leaked because of these breaches.
Using tools like KICS (Keeping Infrastructure as Code Secure) to check for security gaps isn't just a good idea to protect your infrastructure - it's crucial.
What is KICS?
KICS is an open-source tool that checks your code for security issues and compliance before you deploy it. This early check is essential for anyone who uses infrastructure as code and wants to ensure it is secure, such as DevOps teams, cloud engineers, or security experts.
KICS stands out due to its compatibility with various platforms, such as Terraform, Kubernetes, Docker, Pulumi, Helm, Ansible, and CloudFormation. Unlike tools like Checkov, which is primarily designed for Terraform and Kubernetes and might need fine-tuning for better performance, or Terraform Compliance, which is developed explicitly for Terraform, KICS is immediately operational across various platforms without the need for an additional setup.
The level of automation, speed, and accuracy that KICS offers are crucial to meeting strict regulatory standards and requirements. For example, NIST SP 800-53 regulations require organizations to implement over 300 security controls covering management policies, daily operations, and, most importantly, technical infrastructure.
Getting Started with KICS
Setting up KICS for scanning your IaC is straightforward, especially when using Docker for installation. Here's how to get started:
1. Install Docker
First, make sure Docker is installed in your system.
2. Pull the KICS Docker Image
docker pull checkmarx/kics:latest
3. Run KICS Scan
Use this command to scan your IaC files and adjust the directory path to where your files are stored:
docker run -t -v {path to host folder}:/path checkmarx/kics:latest scan -p /path -o /path/reports --report-formats html --output-name report
4. View the Results
Check the results in the /path/reports folder to see any security issues in your IaC setups.
Following these steps, you can quickly use KICS to ensure your cloud infrastructure is secure and compliant before deployment.
Top security concerns for Infrastructure as Code (IaC)
Imagine you're configuring an S3 bucket to store your infrastructure's state file and later realize it's completely open with no security measures. Common IaC gaps like insecure defaults are enough to allow unauthorized access and leave the door open for costly data breaches.
Loose access controls can give unauthorized users too many permissions, allowing them to access sensitive data or install malicious code to manipulate resources. Misconfigurations can leave your S3 bucket unprotected and open to the world, leading to data leaks, service disruptions, or crypto-jacking. Any of these issues are enough to get you in trouble with data protection regulations and jeopardize your business operations and reputation.
Hardcoded secrets like API keys are other common concerns to keep in mind with IaC. Regular testing, continuous monitoring, and proactive security measures are necessary to protect your infrastructure against evolving threats.
How to Use KICS to Harden Your IaC Security
Integrate KICS with Your CI/CD Pipelines
Add KICS to your CI/CD pipelines to scan your code automatically with every update. Here's an example of using GitHub Actions to run KICS on every push or pull request to the main branch:
name: KICS Security Check
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
security_checks:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Set up Docker
uses: docker/setup-buildx-action@v1
- name: Run KICS
run: |
docker run -t -v ${{ github.workspace }}:/path checkmarx/kics:latest scan -p /path -o /path/reports --output-name report
continue-on-error: true
Integrating KICS into your CI/CD pipeline ensures your infrastructure is continuously checked for vulnerabilities, reducing the risk of deploying insecure configurations.
Customize Security Policies
Create custom security policies that match your specific needs. For example, you can set rules to ensure all S3 buckets are encrypted or that Kubernetes pods don't run as root. Custom policies help enforce security standards consistently across your infrastructure, minimizing risks associated with misconfigurations and unauthorized access. Regularly update and review these policies to adapt to new security threats and compliance requirements.
Implement Policy as Code
Implementing policy as code involves writing and enforcing security policies directly within your infrastructure code. With KICS, you can define policies that automatically check for cloud compliance essentials. For example, you can create rules to ensure all resources are tagged correctly or that no public access is granted to sensitive data. Additionally, you can set policies to enforce that all Amazon S3 buckets must have server-side encryption enabled and block public access. By codifying these policies, you ensure they are applied consistently and can be versioned and audited like any other part of your infrastructure code.
Perform Regular Threat Modeling
As the name suggests, threat modeling involves analyzing your system's architecture to identify threats and vulnerabilities. This process should be adopted as one of your first security steps, as it will give you a deeper understanding of potential risks within your system. You can then create a dynamic risk assessment and allocate resources effectively or choose the most appropriate security controls to mitigate vulnerabilities.
KICS can scan your IaC templates, scripts, and configurations as part of your threat modeling process. These scans give you an overview of vulnerabilities across your underlying infrastructure, including web servers, databases, and other IaC components.
You can also use threat modeling tools like OWASP Threat Dragon or ThreatModeler to simulate attacks. Consider performing these simulations quarterly or bi-annually, and regularly update your threat models to match changes in your environment and new threat information.
Automate KICS scans
Automated security scans are the bread and butter of any IaC security strategy nowadays, as they enable you to effectively implement a continuous security approach and stay proactive in detecting and fixing issues.
Using Jit's DevSecOps platform, you can automate KICS scans for every pull request, ensuring continuous security checks without manual intervention. Whenever a pull request is created or merged, the platform triggers KICS to scan the infrastructure code for misconfigurations and vulnerabilities.
Its centralized hub provides a complete view of your IaC security, displaying in-context KICS findings and live updates. You can easily see which issues need attention, track their resolution status, and access automated remediation workflows, where Jit generates a pull request to address and fix identified issues.
Bringing it All Together for Secure IaC
It's easy to think that data breaches only happen to a few unlucky ones, but they are far more common and dangerous than we want to believe. Regarding IaC security, the more robust your security plan, the better you can sleep at night knowing your systems are protected. But robust IaC security doesn't mean never-ending workloads and complex processes.
Leveraging tools like KICS and all its functionalities can help you protect your IaC components. Jit makes this even more seamless by automating KICS scans for every pull request and giving you a central place to manage all your tools and controls for IaC and beyond. The platform offers clear insights on security issues and enables you to quickly "Create a fix PR" to address problems. Explore more here.
Posted on July 29, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.