Using AWS CodeBuild and Bridgecrew to Prevent Misconfigurations in AWS CloudFormation and Terraform
By Nathan Case, Security Engineer at AWS
By Barak Schoster Goihman, CTO at Bridgecrew
Scanning for misconfigurations as part of your CI/CD pipeline helps maintain a solid security posture for all changed resources before provisioning them to a running environment.
Bridgecrew is an AWS Advanced Technology Partner with AWS Competencies in Security and DevOps that is generally used to find security misconfigurations and policy violations across Amazon Web Services (AWS) and in configuration frameworks like AWS CloudFormation, Terraform, Kubernetes, and serverless.
Introduction to IaC Security
In recent years, infrastructure as code has become a popular way to provide predictable and consistent configuration when provisioning core application resources and their underlying services.
IaC frameworks like AWS CloudFormation and Terraform also have robust communities to help users start off with templated versions of infrastructure.
These templates, which can be found in a variety of open source repositories on GitHub, can reduce the time required to configure and customize individual parameters to make a new service work.
Unfortunately, open source modules rarely include all the arguments required to build sustainable and secure infrastructure. To keep resources private that are supposed to stay private, we must cover the various configuration surfaces that define whether a resource should or should not be public.
With more and more teams and developers relying on IaC to guide them when developing complex infrastructure, it becomes even more important to systematically examine changes made to templates to ensure they don’t contain immediate configuration problems.
By employing native AWS CI/CD services and Bridgecrew infrastructure scanning capabilities, teams can easily embed advanced security and compliance best practices into every pull request or in every build processes.
We will start by adding a configuration of Bridgecrew into CodeBuild
buildspec.yaml. This file provides a standard representation of build commands.
With this configured, CodeBuild will be able to automatically run a Bridgecrew scan on every code change to the main branch or on pull request, unit tests, integrations tests, and infrastructure security tests.
The following diagram shows the flow of events described in this post, and demonstrates how to include Bridgecrew as part of CodeBuild security tests.
The workflow that we’ll set up in this post will:
- Pull the source from source control.
- Deploy the test pipeline.
- Run infrastructure security tests.
- Send approval.
- Deploy to production.
- A source control repository with infrastructure as code files.
Step 1: Connect Bridgecrew to Your AWS Environment
- Go to bridgecrew.cloud and sign up for a free Bridgecrew account.
- In the Integrations tab, navigate to the AWS CodeBuild integration page.
- Copy the SSM command to persist Bridgecrew’s API key in a secured string.
- For reference, a sample
buildspec.yamlfile pre-configured with Bridgecrew is available when choosing Add a subscription. You can either copy this file and overwrite your existing
buildspec.yaml, or open an editor and replace the contents during Step 3.
Step 2: Create a CodeBuild Project
In this step, you’ll create a build phase that runs as part of Step 3.
- Navigate to the AWS CodeBuild console and select Create build project.
- Enter a name for your project:
- Choose a Source provider and Repository.
- Set up the build Environment image by choosing a Managed image with Ubuntu operating system.
- Select Create build project.
Step 3: Create a Buildspec
In this step, you’ll create a build spec that executes the build command.
- Open the CodeBuild project, choose Edit and Buildspec.
- Choose Insert build commands.
- Copy and paste the following spec reference from Step 1:
- Save/update buildspec.
Scanning and Remediation
Now that Bridgecrew has been integrated into your CI/CD pipeline, any new
git commit triggers a fresh build and configuration scanning with Bridgecrew detects configuration issues in your infrastructure code.
In the CodeBuild console, you can check your build history to see why your build failed, identify security issues, and pinpoint how to fix them.
Bridgecrew can also assist with remediating the code by showing the lines that need to be changed.
Click Remediate to open a pull request with the changes made and ready to merge.
Bridgecrew’s command line interface (CLI) supports JUnit XML output that can be viewed on the CodeBuild report tab.
Bridgecrew also provides compliance and best practice reports on your cloud infrastructure code.
You can navigate to Incidents and choose Download to get reports by security standards like NIST, CIS, and check for configuration issues.
In this post, you learned how to leverage native AWS CI/CD services to build a fully automated infrastructure as code (IaC) security pipeline.
You also learned how to utilize Bridgecrew to seamlessly integrate with AWS and secure your AWS CloudFormation, Terraform, Kubernetes, and serverless templates.
Bridgecrew – AWS Partner Spotlight
Bridgecrew is an AWS Competency Partner that is generally used to find security misconfigurations and policy violations across AWS and in configuration frameworks.
*Already worked with Bridgecrew? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.