S3 Security Audits Made Easy with Terrateam and Checkov

S3 Security Audits Made Easy with Terrateam and Checkov

Overview

Greetings Geeks, we are back with another blog,

Writing a good Terraform configuration is easy but how about making your configurations highly secure? There comes Checkov.

We are working on making Terraform configuration files and found out that our configuration files have some vulnerabilities when spinning up to make the infrastructure, we were trying to find a tool that can find vulnerabilities in our configuration files. Then we have come across Checkov, which can ease our vulnerability checks in our Terraform configuration files.

  • In this blog, we will learn how to check for security issues in our Terraform code before applying the Terraform configuration to spin up the infrastructure. In this blog, we will learn how to add Checkov check and Terrateam check at each repository Pull Request on GitHub.

Steps involved:

  1. Install Terrateam on your GitHub.

  2. Write S3 Terraform configuration files.

  3. Configure the Terrateam file on your codebase and add Checkov check commands in the config.yml file for checks at each Pull Requests.

  4. Push the code to the GitHub main branch.

  5. Create another branch from the main branch, make configuration changes, and push back.

  6. Create a PR.

  7. Troubleshooting with security checks caught by Checkov on configuration files.

  8. Apply Terraform after resolving everything.

We will cover:

  1. What is Checkov?

  2. How to set up Checkov on local.

  3. How to add Checkov check on the pipeline.

  4. Troubleshooting and resolving the Checkov failed checks.

  5. Skipping Checkov failed checks.

  6. Running the pipeline with Terrateam and Checkov check on success.

Pre-Requisites

  • Terraform is installed on the local system.

  • Terrateam is installed on the GitHub account.

  • AWS freemium account.

  • Checkov is installed on the local system.

What is Checkov?

Checkov is a static code analysis tool for scanning infrastructure as code (IaC) files for misconfigurations that may lead to security or compliance problems.

Checkov includes more than 750 predefined policies to check for common misconfiguration issues. Checkov also supports the creation and contribution of custom policies.

Supported IaC types

Checkov scans these IaC file types:

  • Terraform (for AWS, GCP, Azure and OCI)

  • CloudFormation (including AWS SAM)

  • Azure Resource Manager (ARM)

  • Serverless framework

  • Helm charts

  • Kubernetes

  • Docker

What is Checkov used for?

  • Using Checkov makes your infrastructure safer and more reliable. It helps find and fix mistakes and security issues early in the process.

  • For companies that use Infrastructure as Code to manage their resources, Checkov is a helpful tool.

  • Checkov has many ready-made checks that look at your configuration files to make sure they follow important security and compliance rules. These rules come from trusted organizations like the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST), and others. Checkov ensures that your infrastructure follows the best practices and meets security and compliance standards.

  • It can find problems in your Infrastructure as Code, like security settings that are too open, weak encryption, or exposing sensitive information to the public.

  • As you'll see later in this article, Checkov can be easily added to Azure DevOps pipelines, making it a useful part of your development process.

  • You can also make your own custom checks if you have specific rules you want to follow. This means you can set your own guidelines and skip certain checks when needed.

  • One common mistake we often make is exposing our database or configuration to the 0.0.0.0/0 host URL, which is not a good practice. Checkov identifies these issues and returns a fail with a helpful documentation link to help you improve your configuration.

Setting up Checkov on the local system:

Install From PyPI Using Pip

  • pip install checkov

OR

  • pip3 install checkov

For other ways visit here.

Let’s get started with hands-on the tutorial.

  1. To learn how to install Terrateam and set it up for GitHub actions visit our blog and follow the steps to set it up for configuring AWS S3.

  2. Next, let’s add a Checkov check on each pull request:

  • To set up a Checkov check on each pull request you need to add a few lines for Terrateam in the .terrateam/config.yml file.

Complete code available here.

  • The above configuration file is a Terrateam official-made wrapper for Checkov checks, these can be customized further, click to learn more.
  1. Now, push the configuration to the main branch.
  • Push the updated config.yml file to the main branch, so that the file will run on each PR raised on the repository.

  • The following commands will help you push all the changes to the main branch:

    • git add .

    • git commit -m “checkov added”

    • git push origin main

  1. Next, create a branch named terrateam-checkov .
  • Create a branch terrateam-checkov make some changes in the configuration file of GKE for GCP and push it to the repository.

  • The following commands will help:

    • git checkout -b terrateam-checkov
  1. Next, push terrateam-checkov
  • After making some changes in the configuration files, push the changes back to the terrateam-checkov branch of the repo.

  • The following command will help:

    • git add .

    • git commit -m “files updated”

    • git push origin terrateam-checkov

  1. Raise a pull request on the repository.
  • Now raise a pull request to trigger the Checkov check along with the Terrateam check.

  • The following commands will help after installing and configuring GitHub CLI to your local system:

    • gh pr create --fill

  1. Check your GitHub repository for PR raised.
  • Click on Pull Requests on your GitHub.

  • You will see Checkov checks along with Terrateam checks are running on your branch.

  • Wait for a few minutes and let all checks go green.

  • Checkov Checks won’t be visible individually, it runs within the plan command of Terrateam.

  • To see how it’s running click on details.

  • OOPS! Checkov check has failed

Let’s troubleshoot!

NOTE: It's a good idea to use Checkov checks before setting up the infrastructure with Terraform. This way, if we find any security problems early, we can fix them more easily, instead of dealing with them after the infrastructure is already in place.

Click on Expand for plan output in the Pull Request to see the output, and what failed here.

Case1. Identify and try to resolve some failures:

  • Click on details next to Checkov Checks

  • 6 checks failed.

  • Let’s try to fix them.

  • One of the checks says,

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"

  • To fix this block the public access to the S3 bucket and add the below configurations in the main.tf file.

For a complete code visit here

  • Next is to push the code back and check whether the error is fixed or not!

  • The pipeline fails again but the error seems to be fixed after checking the details.

Case 2: Skipping some checks that failed.

  • We can skip some checks as well since the policy is written to provide maximum security it also has some security checks that are not needed when you want to spin up the infrastructure quickly for the proof of concept and fast deployment.

  • For example, the above check

  • Therefore, we need to skip this check(Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block") it generated some more vulnerabilities.

  • To skip some checks here is a command that you can add at the end of the config.yml file.

  • These commands will skip the particular check (Check: CKV_AWS_55: "Ensure that S3 bucket has a Public Access block"), click here to learn more about Checkov commands.

    • - type: env

name: CKV_SKIP_CHECK

cmd: ["echo", "CKV_AWS_55"]

  • And push the changes back to the repository.

  • Again the pipeline failed since we are required to resolve all the checks.

  • When you check the failed checks you will find CKV_AWS_55 is not there.

  • To skip all similar kinds of checks we can use a wildcard (*).

  • Use * (asterisk), here is an example:

    • - type: env

name: CKV_SKIP_CHECK

cmd: ["echo", "CKV_AWS\"]*

  • This will skip all the Terraform checks with the AWS(Amazon Web Services).

  • Again the pipeline failed.

  • Click on details to see the error.

  • There are lots of other checks that we need to pass.

Case 3: Running the pipeline by skipping all the checks.

  • Since we explicitly needed all the things in the code we need to skip all the checks that are not needed to fail.

  • Here is a checked and trusted command to skip all the checks and get a green pipeline.

  • The below line of code will help to skip all checks related to AWS configuration files.

    • - type: env

name: CKV_SKIP_CHECK

cmd: ["echo", "CKV_AWS\,CKV2_AWS*"]*

  • Add the above command to your main branch and terrateam-checkov branch and push it to the repository.

  • And see the pipeline run.

  • Wait for a few minutes and you will see the pipeline gone green along with Checkov Checks.

  • If you are happy and satisfied with the output of the pipeline you can comment and apply the configuration to the AWS.

Comment terrateam apply on the PR and see the magic of Terrateam.

  • On commenting terrateam apply you will find Terrateam has started its magic work.

  • After you see all the checks gone green, congratulations! You have created your AWS S3 bucket.

Checking for S3 on the AWS console

  1. Go to your AWS console and search for “S3”

  1. Click on “S3”, and you will see a bucket named “infrasity” in the list of buckets.

Congratulations! We have created a S3 bucket with the maximum security possible at this point.

Cleanup (Optional)

  • To avoid the rise in billing amount cleanup is mandatory.

  • Run the below command in your IDE to destroy all the infrastructure we built in the tutorial.

    • terraform init

    • terraform destroy

Conclusion

  1. We’ve installed Checkov on local to run checks on the local

  2. We’ve created a YAML file named checkov.yml that runs on each PR raised to run Checkov checks on our Terraform code along with Terrateam.

  3. We have faced Checkov failure.

    1. Case 1. We have fixed some errors by manually fixing the Terraform configurations.

    2. Case 2. We have skipped some of the checks required to configure the S3 bucket for POC.

    3. Case 3. We have skipped all the checks using Checkov's wildcards.

  4. We ran the Terrateam apply command to run the pipeline and configure the infrastructure.

  5. We have verified that S3 is made on AWS.

  6. We have also applied a Cleanup process to avoid unwanted rises in bills.

For the complete code visit here.

To learn more about Terrateam visit here.

Also, check out our

blogs available on Hashnode.

Did you find this article valuable?

Support Infrasity Blog by becoming a sponsor. Any amount is appreciated!