1、aws sts get-caller-identityDakota RileySANS Instructor SEC540Staff Security Engineer LiveRampBuilder and BreakerHome:Northern KentuckySupply Chain and CI attacksNPM/NodeJSEstimated 37k+malicious packages identified in 2025(Source:OSSF Malicious Packages repo)S1ngularity relied on GenAI CLI tools to
2、exfil files,created public repos with contentsShai-hulud self replicating worm,cloud and github credential theft,takeover owned npm packagesGitHub ActionsGithub Actions are seeing exploitation and abuse:tj-actions/changed-files:Highly Popular GitHub Action compromised,printed environment variables t
3、o console,likely targeting public reposVulnerable Workflows:Variations of script injection,pwn requestsWhat this talk is about?Terraform EssentialsDeclarative Infrastructure-As-Code tool,extremely popularTemplates written in HashiCorp Configuration Language(HCL)Templates consist of BlocksResource Bl
4、ocks Create things!Data Source Blocks Read existing things!Terraform Essentials External DependenciesTerraform ModulesReusable Terraform Code packaged as a callable moduleCan be referenced from s3,git,local filesystem,and the HashiCorp RegistryChanges reflected in TF Plan outputsTerraform ProvidersG
5、olang Binaries that implement resources for TerraformOnly available on HashiCorp Registry,can override with a local binary for developmentCommunity and HashiCorp maintained modules availableTerraform Essentials LifecycleTerraform InitTerraform PlanTerraform ApplyDeployment PipelineCode Change-Pull R
6、equest-Terraform Plan-Review-Merge-Apply Evil Cloud ResourceWe can create a cloud resource that grants us access into downstream systemsRequires execution of terraform applyRelies on social engineering or complacencyInfinite permutations:AWS IAM Role,GCP Service Account Key,Lambda Function,EC2 user-