IaC (Terraform) for Pente ...
    14 July 22

    IaC (Terraform) for Pentesters

    Posted byShivam Bathla

    If learning cybersecurity through offense is interesting to you, try Pentester Academy's AttackDefense Lab Platform, containing 2000+ lab exercises covering various topics. Sign in for free to try community labs and view the list of topics — no subscription or VPN required! To access all Pentester Academy content, check out available subscriptions.


    Introduction: Infra Growth = Complexity

    Imagine that you manage all the infrastructure for your team. Now one of the servers had an issue and must be redeployed. What do you do?

    Provision a machine and set all the properties like the previous machine had. Makes sense, doesn’t it?

    But how practical is this? Imagine you have to migrate all your infra from one account to another, maybe for better resilience and to have a fail over plan.

    As your infrastructure grows, the dials and knobs you have to configure also grow exponentially. That’s because every service and component has it’s own set of configurations. Remembering all of this is nigh impossible— you can’t configure everything correctly, every single time!

    The Solution: Infrastructure as Code (IaC)

    That’s where the idea of of IaC (Infrastructure as Code) fits in. It’s an amazing idea because you can define your infrastructure as code and thus things would be much more predictable.

    Want to tear down a server and spin up a new one? Sure, it’s as easy as running the Terraform/Ansible/Chef/Puppet/… code or even that can be automated with your CI/CD pipelines.

    Amazing and quite powerful, isn’t it! All you need to do is to describe your infra once, then use this description to build your infra whenever you wish.

    Introducing Terraform

    A great example of leveraging IaC is Terraform, a cloud IaC solution which lets you manage cloud services via the various providers that it makes available. As the documentation states:

    Terraform is an open-source infrastructure as code software tool that provides a consistent CLI workflow to manage hundreds of cloud services. Terraform codifies cloud APIs into declarative configuration files.


    Different cloud services supported by Terraform. Source:

    Since Terraform is open source, you can create your own providers, not just for a cloud service but any service in general. For instance, arminaaki created a provider to manage all the pastes in Pasebin. Overall, Terraform doesn’t constrain you and you are free enough to build providers for any APIs you wish (as long as the API interface to the service exists).

    Attacker’s Delight

    With IaC’s versatility, it’s a great solution for anyone managing infra. But like any other piece of code, misconfigurations and vulnerabilities can occur, leading to attacks. Let’s dive deeper:

    Issue #1: Security Misconfigurations

    Below is a non-exhaustive list of misconfigurations an attacker can leverage; if the terraform config is not written with security in mind:

    1. Misconfigured Services: public S3 buckets, public database instances, weak passwords, deletion termination not enabled, logging not enabled, backup not enabled.
    2. API Keys, passwords, secrets in code.
    3. Terraform state files in public buckets.
    4. Secrets displayed in the outputs.
    5. Adding user input to create the infra can lead to injection issues (more on this in the next section).

    You get the idea: if things are not done with security in mind, an attacker can gets their hands on your Terrform config via public Github repositories, Wayback machine, other attacks like RCE, arbitrary files reads, etc.

    Preventing security misconfigurations

    The above misconfigurations can damage the integrity and confidentiality of your infrastructure. Hence, it is crucial to follow best practices — especially anything security-related — for the tools you use.

    The exact best practices will depend on what services and components you use, but general guidelines include not embedding sensitive bits like passwords or API keys, or taking the user input as is. Also, do not expose the state files (if any) used by the tools. Those state files are a treasure trove of information, which can help an attacker extract the resource config and other secrets without any extra recon.

    Issue #2: Accepting Arbitrary IaC Files

    Another issue that most (and maybe all) of the IaC’s have is the ability to run arbitrary code. This is not a flaw per se; it’s actually a feature with legit use cases, but can lead to issues.

    For example, if user input makes it’s way into the infra code, it could lead to RCE. If the user input is added to a command in the local-exec or remote-exec provisioner in Terraform, the attacker can execute malicious code (python, bash, perl, etc).

    Also in AWS, while configuring an EC2 instance, specifying your commands for the user-data script, can lead to code execution. The same goes for other services that accept code/commands.

    Similarly, if you get the opportunity to specify your own Terraform code (or any other IaC file like for Ansible, Chef, Puppet, CloudFormation), you can use relevant stubs to execute your commands like local-exec and remote-exec in Terraform. Think about it: if you have this ability to supply arbitrary files, then that would be like RCE-as-a-service.

    Preventing malicious arbitrary code

    Again, the solution is straighforward. You just have to recognize that:

    User input is the root of all evil.

    Therefore, the natural prevention is to avoid any untrusted party supplying the IaC config or control its components in any way that leads to RCE (e.g. local-exec and remote-exec provisioners in Terraform).

    If you do this effectively, you can be sure that you are safe against such attacks.

    Another thing to be highlighted is the chaining of the attacks.

    Let’s say you do everything in a secure fashion: inputs are taken from trusted sources and are well-sanitized, and the IaC files resides on your server — it’s predefined. Are you secure in that case? Maybe not!

    If someone found a way to upload arbitrary files on your machine, they can possibly overwrite the existing IaC files and add their own code. This would result in the issues we touched upon in the above section.

    Therefore, it is equally important to secure your IaC files too. Make it writable only by your user and run the application with some other (low-privileged) user. Any other users/services must not have access to those files, if not required. So always ensure you follow the principle of least privilege!

    Further Readings

    Feel free to dig in more by checking the following resources:

    1. TerraGoat: A “Vulnerable by Design” Terraform repository
    2. checkov: IaC static analysis tool

    These cover some good ground, both from the defender’s perspective (1, 2, and 3) and from the attacker’s perspective (4). So definitely check them out and see what all you can do as an attacker and defender.


    I hope you enjoyed this article: we went through different ways an attacker can exploit Terraform or any other IaC for that matter.

    To reiterate: everything needs to be prepared with security in mind, be it your app code or the code you use to spin infra for your apps. Otherwise, someone can exploit misconfigurations and other issues to compromise the integrity and confidentiality of your environment.

    This underscores the importance of a security centric approach. Whether you are a developer, a security researcher or into DevOps, this mindset is a must.

    And we’re here to help! With thousands of technical videos, hands-on labs and on-demand bootcamps, our content covers a lot on on things you would want to learn in infosec field. Feel free to sign in and explore all the labs we have, just by using a Google Account.

    Happy learning!

    About Pentester Academy

    Founded in 2011 by world-renowned security researcher and trainer, Vivek Ramachandran, Pentester Academy is the world’s leading cybersecurity skills platform. We help professionals acquire the skills, knowledge and certificates by teaching defense through offense to advance their careers in cybersecurity. We believe that learning is best accomplished by doing: our content is accompanied by hands-on lab exercises that allow students to face and conquer real world scenarios.

    In 2021, Pentester Academy was acquired by INE, one of the world’s leading training solutions companies. By adding Pentester Academy’s innovative labs to INE’s courses on Cyber Security, Cloud Computing, Networking and Data Science, this partnership represents a new frontier for both companies. Now, security professionals will have more opportunities than ever to accelerate their career, and put their company in the best position possible to keep products and data secure.

    Hey! Don’t miss anything - subscribe to our newsletter!

    © 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo