fwd:cloudsec Europe 2024

If an attacker could run an arbitrary policy on a policy engine, would that be dangerous? Turns out, the answer is yes.

This initial research question took us down a fascinating rabbit hole, which started in the OPA (Open Policy Agent) Rego language and ended all the way in Terraform HCL (Hashicorp Configuration Language).

Infrastructure-as-code (IaC) is the backbone of DevOps for modern cloud applications. Due to the sensitivity and complexity of IaC deployments, policy engines and policy-as-code languages have emerged as key tools to govern these processes. They are also a common tool to govern operations within Kubernetes platforms (using Gatekeeper).

In this session, we'll explore malicious techniques for abusing modern policy-as-code and IaC domain-specific languages (DSLs). Supposedly, since these are hardened languages with limited capabilities, they should be more secure than standard programming languages, and indeed they are. However, more secure does not mean bulletproof. We'll explore techniques adversaries can use to manipulate these DSLs through third-party code to compromise cloud identities, conduct lateral movements, and exfiltrate sensitive data. We will be presenting novel techniques, such as DNS tunneling in DSLs, discovered in our research.

This begs two immediate questions: are attackers leveraging these techniques already? Are common scanners able to detect them? We answer these questions by showing the results of our scan of the public Terraform registry, as well as the scan results of popular scanners against our malicious configurations. We will conclude by presenting detection rules that defenders can use to detect these techniques and best practices that can be used to prevent them.