用邪恶的 Terraform 破坏管道.pdf

编号:991863 PDF 21页 1.50MB 下载积分:VIP专享
下载报告请您先登录!

用邪恶的 Terraform 破坏管道.pdf

1、aws sts get-caller-identityDakota RileySANS Instructor SEC540Staff Security Engineer LiveRampBuilder and BreakerHome:Northern KentuckySupply Chain and CI attacksNPM/NodeJSEstimated 37k+malicious packages identified in 2025(Source:OSSF Malicious Packages repo)S1ngularity relied on GenAI CLI tools to

2、exfil files,created public repos with contentsShai-hulud self replicating worm,cloud and github credential theft,takeover owned npm packagesGitHub ActionsGithub Actions are seeing exploitation and abuse:tj-actions/changed-files:Highly Popular GitHub Action compromised,printed environment variables t

3、o console,likely targeting public reposVulnerable Workflows:Variations of script injection,pwn requestsWhat this talk is about?Terraform EssentialsDeclarative Infrastructure-As-Code tool,extremely popularTemplates written in HashiCorp Configuration Language(HCL)Templates consist of BlocksResource Bl

4、ocks Create things!Data Source Blocks Read existing things!Terraform Essentials External DependenciesTerraform ModulesReusable Terraform Code packaged as a callable moduleCan be referenced from s3,git,local filesystem,and the HashiCorp RegistryChanges reflected in TF Plan outputsTerraform ProvidersG

5、olang Binaries that implement resources for TerraformOnly available on HashiCorp Registry,can override with a local binary for developmentCommunity and HashiCorp maintained modules availableTerraform Essentials LifecycleTerraform InitTerraform PlanTerraform ApplyDeployment PipelineCode Change-Pull R

6、equest-Terraform Plan-Review-Merge-Apply Evil Cloud ResourceWe can create a cloud resource that grants us access into downstream systemsRequires execution of terraform applyRelies on social engineering or complacencyInfinite permutations:AWS IAM Role,GCP Service Account Key,Lambda Function,EC2 user-

友情提示

1、下载报告失败解决办法
2、PDF文件下载后,可能会被浏览器默认打开,此种情况可以点击浏览器菜单,保存网页到桌面,就可以正常下载了。
3、本站不支持迅雷下载,请使用电脑自带的IE浏览器,或者360浏览器、谷歌浏览器下载即可。
4、本站报告下载后的文档和图纸-无水印,预览文档经过压缩,下载后原文更清晰。

本文(用邪恶的 Terraform 破坏管道.pdf)为本站 (可不可以) 主动上传,三个皮匠报告文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知三个皮匠报告文库(点击联系客服),我们立即给予删除!

温馨提示:如果因为网速或其他原因下载失败请重新下载,重复下载不扣分。
客服
商务合作
小程序
服务号
折叠