How Prancer can detect secrets in IaC templates

Introduction
as a DevOps engineer, I have to confess that I have checked in IaC templates to the remote repo with secrets inside! (multiple times: — )
And this is not a pleasant experience. You have to start searching on stackoverflow how to change the git header, and then notify your manager about what happened, rotate the secrets… To rephrase that, lots of troubles!

Prancer Security platform can help you overcome this problem and have peace of mind for yourself and all other team members you are working with.
Prancer can prevent this problem by scanning every IaC Template at each commit or when a PR is raised to ensure no secret is exposed in the IaC template.

Secret scanning Methods
Secrets are usually in the form of passwords or other kinds of sensitive information inside the IaC template. Here is an examples of IaC templates with hardcoded secrets:
Terraform AWS:

resource “aws_db_instance” “default” {
allocated_storage = 10
engine = “mysql”
engine_version = “5.7”
instance_class = “db.t3.micro”
name = “mydb”
username = “foo”
password = “foobarbaz”
parameter_group_name = “default.mysql5.7”
skip_final_snapshot = true
}

Reviewing these IaC templates and checking other public repositories on git providers for IaC, we understood four methods to find the secrets in IaC code:

  • Searching for specific keywords
  • Searching for patterns
  • entropy-based scanning
  • sensitive extensions

With Prancer secret scanner, we can search for specific keywords like “password”, “P@ssw0rd” “P@$$W0rd” or other combinations in the IaC template.
Looking for patterns is being able to find some patterns inside the code to find the secrets. for example in case of Azure SQL in terraform, this is the code snippet you are assigning the password for the admin account:

resource “azurerm_sql_server” “example” {
name = “myexamplesqlserver”
resource_group_name = azurerm_resource_group.example.name
location = “West US”
version = “12.0”
administrator_login = “4dm1n157r470r”
administrator_login_password = “4-v3ry-53cr37-p455w0rd”

tags = {
environment = “production”
}
}

We can introduce the pattern to Prancer Secret Scanner and find it in all other IaC templates.

With the entropy method, if there is a word with lots of numbers, upper case, lower case, or special characters, the entropy of that specific word is high. An error is raised, which mentions it could be a secret in the code.

Sensitive extensions are the ones who can have certificates, private keys, and other forms of sensitive information. Examples are *.CER or *.CRT — Base64-encoded or DER-encoded binary X.509 Certificate

How Prancer finds secrets
Let us see how the Prancer platform finds secrets and passwords in IaC templates.
We have vulnerable by design repositories on GitHub for each type of IaC template prancer supports. And intentionally, there are some secrets hard-coded into these repositories.
As an example, The AWS terraform files have some secret keys hardcoded inside the template. It is a security misconfiguration that has to be prevented.
https://github.com/prancer-io/prancer-terramerra/blob/master/aws/secret/main.tf

resource “alkira_credential_aws_vpc” “account1” {
name = “customer-aws-1”
aws_access_key = “ASIAIOSFODNN7EXAMPLE”
aws_secret_key = “wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY”
aws_account_id = “123456789012”
type = “ACCESS_KEY”
}

Another example there is an Azure SQL in the terraform, and an admin password is hardcoded inside the template, which is again a security misconfiguration. In this example, the secret is hardcoded inside the .tfvars file
https://github.com/prancer-io/prancer-terramerra/blob/master/azure/sql_servers/terraform.tfvars

location = “”
server_name = “prancer-sql-server2”
server_rg = “prancer-test-rg”
server_version = “12.0”
admin_user = “prancer_admin”
admin_password = “vijcykDaHarj+Oz5”

enable_ad_admin = false
sql_server_login = “sqladmin”

enable_sql_firewall = true
sql_fw_name = “prancer-sql-fw-block-200-net”
sql_fw_start_ip = “0.0.0.0/32”
sql_fw_end_ip = “10.254.200.255”

tags = {}

An example from the Google Cloud Platform, the terraform code in the tfvars file contains the password for the Kubernetes cluster.
https://github.com/prancer-io/prancer-terramerra/blob/master/gcp/container_cluster/terraform.tfvars

k8s_username = “”
k8s_password = “Root1234”

Apart from these terraform cases, the cloud-native formats are also supported; for example, another repository is called “prancer-armof” with hardcoded secrets. Inside the parameters file, there is a workspaceKey hardcoded inside the arm template.
https://github.com/prancer-io/prancer-armof/blob/f49ee2a7641ffe2076b93508ab50d7663469beae/VM/log_analytic_agent/vm.azuredeploy.parameters.json

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmName": {
"value": "my-windows-vm"
},
"location": {
"value": "westus"
},
"workspaceId": {
"value": ""
},
"workspaceKey": {
"value": "Tse-gj9CemT6A80urYa2hwtjvA5axv1xobXgKR17kbVdtacU6cEf+SNo2TdHGVKTsZHZd1W9QKRXfh+$fVY9dA=="
}
}
}

How Prancer finds these secrets and reports them back to the DevOps engineer

  1. First, you need to signup for an account of Prancer Platform (if you don’t have it already) : https://account.prancer.io/account/user/create/
  2. Then you need to onboard your git repository into the Prancer Security platform. https://www.prancer.io/how-to-use-prancer-configuration-wizard-for-easy-repository-onboarding-for-iac-security/
  3. After successful crawling and compliance test, you can use “Resource Explorer” or “Report” page to find any hard-coded secret inside the IaC templates: https://www.prancer.io/how-to-use-prancer-unified-reporting-feature-for-iac-static-code-analysis-and-cspm-2/

This is how Prancer finds the secrets and hardcoded passwords inside the IaC templates. This problem can be solved by moving the passwords to a secure vault the company uses.

--

--

--

Prancer is a pre-deployment and post-deployment multi-cloud validation framework for your Infrastructure as Code (IaC) pipeline and continuous compliance in the

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Fix your phone’s PIN (almost) effortlessly

XT Will List ATLAS,DAR

Swift cooperation between Bithumb and Uppsala Security ends successfully, leading to crypto scammer…

Transparent OLEDs, Microsoft hacked and more @ #techbrief2

NNI Airdrop Going Live

Keeping us Connected — Data Centres as Critical Infrastructures

CAN VPN BE DANGEROUS ?

ACTION RAFFLE — Week 5–4/30/22

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prancer.io

Prancer.io

Prancer is a pre-deployment and post-deployment multi-cloud validation framework for your Infrastructure as Code (IaC) pipeline and continuous compliance in the

More from Medium

What is IaC, and why did I learn Terraform?

AWS Elastic Network Interface

Launching WordPress Application with MySQL Database on Kubernetes Cluster over AWS Cloud using…

Terraform — Limitation of Provider and Resource Blocks

Terraform