Use Terraform? You NEED this for security!

preview_player
Показать описание
So you’re using Terraform to deploy infrastructure on the cloud, and it all works beautifully…you’re done, right? Well not quite! There’s one more very important step that you need to take to make sure that the infrastructure you’re about to deploy is following best practices and doesn’t have any major security issues.

💬 Chat with me

🔗 Links mentioned in the video:

🎓 Courses

🚨 Disclaimer
This video is strictly for educational purposes and to teach you how you can detect and mitigate threats from your or your employer's cloud enviroments. Learning about real threats, ethical hacking, and penetration testing is an important way of protecting ourselves against threat actors.

⏱ Timestamps:
00:00 - 00:16 - Intro
00:17 - 00:47 - What is Terraform?
00:48 - 01:20 - What you need
01:21 - 01:57 - About the demo and tools
01:58 - 02:15 - Install Checkov & Terraform
02:16 - 02:36 - Initializing Terraform
02:37 - 02:54 - Running Checkov
02:55 - 06:09 - Fixing the issues
06:10 - 08:15 - Custom Policies
08:16 - 09:31 - Restricting EC2 instance types
09:32 - 09:39 - Methods for running these checks
09:40 - 10:08 - Outro

#awssecurity #cloudsecurity #sast #iac #checkov #infrastructureascode #terraform #policyascode #policy #cybersecurity #securityassessment #aws
  1. Cybr
Рекомендации по теме
Use Terraform? You 0:10:09

Use Terraform? You NEED this for security!

Terraform in 100 0:02:18

Terraform in 100 Seconds

Why You NEED 0:27:33

Why You NEED To Learn Terraform | Practical Tutorial

Terraform explained in 0:18:15

Terraform explained in 15 mins | Terraform Tutorial for Beginners

This is why 0:19:02

This is why you need infrastructure as code tooling (Terraform with AWS provider overview)

Devops Project on 0:00:32

Devops Project on Terraform👨‍💻 #devops #terraform

How to Manage 0:15:54

How to Manage Secrets in Terraform?

What is Terraform? 0:00:39

What is Terraform? 🤔 #devops #infrastructureascode

Free Webinar on 1:13:20

Free Webinar on Certified DevOps Specialist with Prof. Papa Rao.

Terraform Basics: Modules 0:15:23

Terraform Basics: Modules

What is Terraform? 0:02:38

What is Terraform? | Terraform Explained in 2 Minutes For BEGINNERS.

Launch S3 Buckets 1:48:38

Launch S3 Buckets with Terraform | Beginner Terraform Project with Step by Step Demo

Terraform Locals | 0:10:32

Terraform Locals | How to use Terraform Locals? - Part 4

Should you use 0:07:43

Should you use Terraform or Pulumi?

Complete Terraform Course 2:38:04

Complete Terraform Course - From BEGINNER to PRO! (Learn Infrastructure as Code)

Terraform Explained 0:08:44

Terraform Explained

Day 3 : 0:19:17

Day 3 : Understanding Providers and Resources in Terraform with Hands On tutorial

Beginners Tutorial to 0:08:46

Beginners Tutorial to Terraform with AWS

How to Deploy 0:11:21

How to Deploy AWS EKS with Terraform - The Simplest Guide to Get Up and Running

What is terraform 0:00:44

What is terraform ? #terraform #infrastructure #devops #cloudcomputing #aws #azure #gcp #ashokit

Identify Terraform state 0:00:44

Identify Terraform state use cases #Shorts

How to use 0:16:22

How to use Terraform import? - Part 22

Terraform vs Ansible: 0:00:55

Terraform vs Ansible: why Terraform reigns in infrastructure management. #Cloud #Terraform #Ansible

Terraform for Beginners 0:38:25

Terraform for Beginners 2023 - #03 - How to use Terraform providers

Комментарии
Автор

I like the idea, but checkov seems to have the same problem as most TF code scanners: it assumes it can see ALL of the terraform for your ENTIRE deployment. For modularity reasons, that is basically never the case.
As a contrived example, if I create an aws_s3_bucket without setting up a log, it flags it. But, and again, this is contrived, maybe this is because I have a single "logging" repo where I set up a bucket for logging, and then add in a data source reference for every s3 bucket in my other repos with the logging stanza in that repo. That is definitely modular, but in a bad way, I agree. But it illustrates the point: for reasons of modularity, the things checkov needs to see might be in another code repo that it cannot see.
So, could be useful for catching things, but would be a nightmare in CI. Death by a 1000 exceptions.

Need to dig more deeply; maybe checkov has some inline options to ignore specific findings, such as putting the finding to ignore in a comment field above the stanza that would trigger it.

Regardless, these are great videos! Been watching some of the AWS ones. I am OG/oldschool; I don't want to just learn how to press the buttons as most videos "train" you to do. I want to understand how it works and then assemble what I need from that understanding. Your videos go a LONG way towards that. Many thanks for putting this out here!

linearj
Автор

please make a video on Terraform.🙏🙏 pleeeease

tairocruise