当前位置:首页 > 报告详情

用邪恶的 Terraform 破坏管道.pdf

上传人: 可*** 编号:991863 2025-12-07 21页 1.50MB

1、aws sts get-caller-identityDakota RileySANS Instructor SEC540Staff Security Engineer LiveRampBuilder and BreakerHome:Northern KentuckySupply Chain and CI attacksNPM/NodeJSEstimated 37k+malicious packages identified in 2025(Source:OSSF Malicious Packages repo)S1ngularity relied on GenAI CLI tools to

2、exfil files,created public repos with contentsShai-hulud self replicating worm,cloud and github credential theft,takeover owned npm packagesGitHub ActionsGithub Actions are seeing exploitation and abuse:tj-actions/changed-files:Highly Popular GitHub Action compromised,printed environment variables t

3、o console,likely targeting public reposVulnerable Workflows:Variations of script injection,pwn requestsWhat this talk is about?Terraform EssentialsDeclarative Infrastructure-As-Code tool,extremely popularTemplates written in HashiCorp Configuration Language(HCL)Templates consist of BlocksResource Bl

4、ocks Create things!Data Source Blocks Read existing things!Terraform Essentials External DependenciesTerraform ModulesReusable Terraform Code packaged as a callable moduleCan be referenced from s3,git,local filesystem,and the HashiCorp RegistryChanges reflected in TF Plan outputsTerraform ProvidersG

5、olang Binaries that implement resources for TerraformOnly available on HashiCorp Registry,can override with a local binary for developmentCommunity and HashiCorp maintained modules availableTerraform Essentials LifecycleTerraform InitTerraform PlanTerraform ApplyDeployment PipelineCode Change-Pull R

6、equest-Terraform Plan-Review-Merge-Apply Evil Cloud ResourceWe can create a cloud resource that grants us access into downstream systemsRequires execution of terraform applyRelies on social engineering or complacencyInfinite permutations:AWS IAM Role,GCP Service Account Key,Lambda Function,EC2 user-

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要内容概括如下: - **Terraform 安全性**:Terraform 作为基础设施即代码工具,存在潜在的安全风险,如数据源块执行、状态文件篡改等。 - **恶意行为**:包括利用GitHub Actions、数据源块进行凭证盗窃、状态文件篡改以执行任意代码等。 - **供应链安全**:Terraform 提供器的供应链安全性较强,通过GPG签名和GitHub发布进行验证。 - **安全控制**:实施策略即代码、身份和凭证控制、网络出口控制等安全措施。 - **检测案例**:通过异常用户代理或IP地址组合、异常活动等检测凭证盗窃或代码篡改。 - **结论**:管道安全控制日益重要,应密切关注Terraform 提供器并通过自动化进行安全检查。
安全漏洞与防护" 如何防范风险?" 如何避免?"
客服
商务合作
小程序
服务号
折叠