iac脚本
Infrastructure-as-a-Code or IaC is the new normal on creating and building any new cloud environment through machine-readable files or code templates. It is important, however, to consider security concerns in regards to the infrastructure that you may be creating to ensure it is following the best practices and compliance from your organization.
基础架构即代码(IaC)是通过机器可读文件或代码模板创建和构建任何新云环境的新常态。 但是,重要的是要考虑与您可能要创建的基础结构有关的安全问题,以确保其遵循组织的最佳实践和合规性。
为什么IaC是新常态? (Why IaC is the New Normal?)
Physical hardware can require you to add in the rack and make the proper configuration before starting to use it, which sometimes could take weeks or months to be able to create a new server. Now with IaC, you can create a complete infrastructure for your application in the cloud in less than an hour. The examples below illustrate the old processes of creating servers vs. the new one:
物理硬件可能需要您添加机架并进行正确的配置,然后才能开始使用它,有时可能需要数周或数月才能创建新服务器。 现在,借助IaC,您可以在不到一个小时的时间内为云中的应用程序创建完整的基础架构。 下面的示例说明了创建服务器与新服务器的旧过程:
Before Infrastructure-as-a-Code, IT teams would have to add the server into the data center manually, install OS, and make the proper configs before they could use it. In some cases, they would use some automated scripts to help with some tasks, but it would not make it fully automated. Five years ago, I remember working on some projects with banks, where they needed to wait for one to two months to have the Infrastructure to start some projects. Today, they can create it in a couple of hours or minutes following all the compliance is required.
在使用基础架构即代码之前,IT团队必须手动将服务器添加到数据中心,安装操作系统并进行适当的配置,然后才能使用它。 在某些情况下,他们会使用一些自动化脚本来帮助完成某些任务,但是并不能使其完全自动化。 五年前,我记得与银行合作过一些项目,他们需要等待一两个月才能拥有基础架构来启动一些项目。 今天,他们可以在要求所有合规性之后的几个小时或几分钟内创建它。
With IaC, your Infrastructure takes the form of code templates. Since the code is a text file, it is easy for you to edit, copy, and share it with your team. It is recommended that you put it under source control as we do for any source code file using code repositories like GitHub, GitLab, or Bitbucket. Here are the three main benefits of using IaC:
使用IaC,您的基础架构将采用代码模板的形式。 由于该代码是文本文件,因此您可以轻松地对其进行编辑,复制和共享。 建议您像使用GitHub,GitLab或Bitbucket这样的代码存储库处理任何源代码文件一样,将其置于源代码控制之下。 以下是使用IaC的三个主要好处:
Speed -> Enables you to quickly set up a new infrastructure by just using code or scripts.
速度 ->使您能够仅使用代码或脚本来快速设置新的基础结构。
Control -> Since you can view IaC template files like any other source code file, you have full traceability through code repository of the changes that each template has suffered.
控制 - >既然你可以查看像任何其他源代码文件IAC模板文件,你必须通过的修改代码库每个模板都遭受了全程追溯。
Consistency -> Any human is susceptible to making mistakes. IaC prevents mistakes by using config files, having a single source of truth, and ensuring the same configurations for the hole environment.
一致性 ->任何人都容易犯错误。 IaC通过使用配置文件,使用单一事实来源并确保Kong环境的配置相同来防止错误。
如何创建IaC? (How You Can Create IaC?)
Nowadays, there are a significant number of code tools to create Infrastructure-as-a-Code; here are the most popular:
如今,有大量的代码工具可以创建“基础架构即代码”。 这是最受欢迎的:
“Teams who implement IaC can deliver stable environments rapidly and at scale. Teams avoid manual configuration of environments and enforce consistency by representing the desired state of their environments via code. Infrastructure deployments with IaC are repeatable and prevent runtime issues caused by configuration drift or missing dependencies.” from Sam Guckenheimer works on Microsoft Azure DevOps team — Link.
“实施IaC的团队可以快速,稳定地交付稳定的环境。 团队避免手动配置环境,并通过代码表示所需的环境状态来增强一致性。 使用IaC进行基础架构部署是可重复的,可以防止由于配置漂移或缺少依赖关系而导致运行时问题。” 来自 Sam Guckenheimer的Microsoft Azure DevOps团队— Link 。
为什么将安全集成到IaC管道中很重要? (Why is it important to integrate security into the IaC pipeline?)
As Gartner states, “Through 2025, 99% of cloud security failures will be the customer’s fault.”
正如Gartner所说:“到2025年,云安全故障的99%将是客户的过错。”
Due to misconfigurations in the cloud infrastructure, it is essential to implement a way to ensure visibility and real-time feedback for developers of IaC before they build cloud environments containing security or compliance flaws that could potentially generate headaches for your company. It’s important to make sure you are creating new infrastructure in the cloud following best practices architectures like:
由于云基础架构中的配置错误,在IaC开发人员构建包含安全或合规性缺陷的云环境之前,必须采取一种方法确保IaC开发人员的可见性和实时反馈,这可能会给您的公司造成麻烦。 确保遵循以下最佳实践架构在云中创建新的基础架构非常重要:
Most of the Infrastructure-as-a-Code issues could be generated by:
大多数“基础结构即代码”问题可能是由以下原因产生的:
- Human Error 人为错误
- Not enough time to review the IaC because business is pushing to build new app and solutions faster than ever 没有足够的时间来审查IaC,因为企业正在推动以前所未有的速度构建新的应用程序和解决方案
- Misconfiguration by a lack of knowledge in cloud services 缺乏云服务知识导致配置错误
- Multi-Cloud Challenges with lack of standards in different environments 在不同环境中缺乏标准的多云挑战
The security tool concept Cloud Secure Posture Management (CSPM) helps the organization quickly detect, remediate, and bring visibility across multiple cloud environments that your organization may have.
安全工具概念“ 云安全状态管理 (CSPM)”可帮助组织快速检测,修复组织中可能存在的多个云环境并提供可视性。
Example of a Bad EC2 CloudFormation Template:
错误的EC2 CloudFormation模板示例:
The Bad EC2 CloudFormation template example has some issues like:
错误的EC2 CloudFormation模板示例存在一些问题,例如:
- Security group null opens a range of ports. 安全组null将打开一系列端口。
- Instance id Ec2Instance is not using Instance Profiles/IAM Roles. 实例ID Ec2Instance未使用实例配置文件/ IAM角色。
- Instance Ec2Instance is not using the latest generation of instances: m1.small 实例Ec2Instance未使用最新一代实例:m1.small
- Security group null allows unrestricted access to uncommon ports. 安全组null允许不受限制地访问不常见的端口。
- Detailed monitoring is not enabled for EC2 instance Ec2Instance 未为EC2实例Ec2Instance启用详细监视
You could easily detect these problems using security plugins on the IDE (VSCode from Microsoft) to scan the IaC template before you build the cloud environments. In this case, because I’m using the CloudFormation template, if you follow the AWS Well-Architect Framework, you will probably get the example below to build a well-architect EC2.
你可以很容易使用的IDE(安全插件检测这些问题VSCode从微软)您打造云环境之前扫描IAC模板。 在这种情况下,因为我使用的是CloudFormation模板,所以如果您遵循AWS Well-Architect框架,则可能会得到以下示例来构建一个完善的EC2。
Example of a Well-Architect EC2 Cloud Formation Template:
完善的EC2云形成模板示例:
It could help a lot your DevOps and Cloud Architect team to create a much secure and well-architect IaC with a pretty simple security plugin.
它可以帮助您的DevOps和Cloud Architect团队使用非常简单的安全插件来创建一个非常安全且架构合理的IaC。
增强IaC管道安全性和合规性的三种方法 (Three Ways to Add Security and Compliance to the IaC Pipeline)
IDE (Integrated Development Environment) — Security Plugin
IDE(集成开发环境)—安全插件
IDE security plugin is designed to quickly get real-time feedback for developers in the Infrastructure-as-a-code and application development. This way, a developer could scan and fix issues in their current IDE workspace without needing any additional security tools to detect problems.
IDE安全插件旨在在基础架构即代码和应用程序开发中为开发人员快速获取实时反馈。 这样,开发人员可以扫描并修复其当前IDE工作区中的问题,而无需任何其他安全工具来检测问题。
That would be the farthest to the left that you could bring security to the pipeline, therefore, decreasing the friction and increasing the adoption of developers for better security validation against security issues and compliance problems.
那是最左边的方法,可以为管道带来安全性,因此,可以减少摩擦并增加开发人员的采用率,以更好地验证安全性和合规性问题。
2. Template Scanner
2. 模板扫描仪
Template Scanners use directly APIs with CSPM to integrate custom tools or specific use cases in CI/CD pipelines. They can provide real-time checks every time you push new code, and the results can be shared with developers and Cloud Architects who can check any potential issues before production. If the scans find an “Extreme” or “High-risk” issue, it could be configured to stop the deployment process and notify the development team through Slack channels for example.
模板扫描程序直接将API与CSPM结合使用,以在CI / CD管道中集成自定义工具或特定用例。 他们可以在您每次推送新代码时提供实时检查,并且结果可以与开发人员和Cloud Architects共享,他们可以在生产前检查任何潜在的问题。 如果扫描发现“极端”或“高风险”问题,则可以将其配置为停止部署过程并通过Slack渠道通知开发团队。
3. CSPM — Cloud Security Posture Management
3. CSPM —云安全状态管理
CSPM is a security tool that detects misconfiguration in multiple cloud service providers. This technology can help you with the big challenge of add “Sec” into the DevOps pipeline in some companies. These solutions also have capabilities to help with auto-remediation in cloud infrastructure. It can help organizations with coherent security and compliance risk picture across multi-cloud environments. CSPM is a class of security tools that includes the following use cases:
CSPM是一种安全工具,可检测多个云服务提供商中的配置错误。 在某些公司中,这项技术可以帮助您应对在“ DevOps”管道中添加“ Sec”的巨大挑战。 这些解决方案还具有帮助云基础架构中自动修复的功能。 它可以帮助组织在整个多云环境中获得一致的安全性和合规风险。 CSPM是一类安全工具,包括以下用例:
- Compliance Monitoring 合规监控
- Cloud Misconfiguration Visibility 云错误配置可见性
- DevOps Integration — (Shifting Left Security) DevOps集成-(向左移动安全性)
- Incident Response 事件响应
- Risk Assessment 风险评估
- Risk Visualization 风险可视化
Here are some examples of visibility that CSPM technologies could bring to your team and easily help with a broad risk level across multiple cloud environments:
以下是CSPM技术可以带给您的团队并可以轻松帮助解决多个云环境中的广泛风险级别的一些可见性示例:
结论 (Conclusion)
Infrastructure-as-a-Code has numerous benefits in our daily life such as creating a whole new environment or terminating some environments in the cloud and data centers with technologies like NSX and Kubernetes. However, it’s important to consider whether your new infrastructure is secure and compliant, especially since detecting security issues or misconfigurations in the early building stages can save you a lot of money and greatly reduce the security risk overall.
基础架构即代码在我们的日常生活中具有许多好处,例如使用NSX和Kubernetes等技术在云和数据中心中创建一个全新的环境或终止某些环境。 但是,重要的是要考虑您的新基础架构是否安全且合规,特别是因为在早期构建阶段检测安全问题或配置错误可以为您节省很多钱,并大大降低总体安全风险。
When choosing security solutions for IaC, make sure it is the right technology for you and that it fits appropriately with your current pipeline to avoid losing automation and agility in your daily work.
为IaC选择安全解决方案时,请确保它是适合您的技术,并且适合您当前的流程,以避免在日常工作中失去自动化和敏捷性。
Additional article around IaC
有关IaC的其他文章
翻译自: https://medium.com/swlh/putting-security-into-the-iac-pipeline-4de98f88ad24
iac脚本
扫一扫
755
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
