Azure Infrastructure as Code - Part Five

Azure Infrastructure as Code - Part Five

Next up is Azure Infrastructure as Code - Part Five. Checkov is a static code analysis tool for scanning infrastructure as code (IaC) files for misconfigurations that may lead to security or compliance problems. Checkov includes more than 750 predefined policies to check for common misconfiguration issues. Checkov also supports the creation and contribution of custom policies.

Supported IaC types

Checkov scans these IaC file types:

• Terraform (for AWS, GCP, Azure and OCI)

• CloudFormation (including AWS SAM)

• Azure Resource Manager (ARM)

• Serverless framework

• Helm charts

• Kubernetes

• Docker

This lab shows how to install Checkov, run a scan, and analyze the results.

Install Pip3 and Python

pip3 is the official package manager and pip command for Python 3. It enables the installation and management of third party software packages with features and functionality not found in the Python standard library. Pip3 installs packages from PyPI (Python Package Index).

You can get it by installing the latest version of python here.

Install Checkov From PyPI Using Pip

pip3 install checkov

Make Terraform Directory and Move There

mkdir ~/checkov-example
cd ~/checkov-example

Create main.tf file with VS Code

code main.tf

Paste Code into File, Save, then Exit

resource "aws_s3_bucket" "foo-bucket" {
# same resource configuration as previous example, but acl set for public access.
acl = "public-read"
}
data "aws_caller_identity" "current" {}

Format the file

terraform fmt

Execute Checkov

Make sure you're in the directory that your Terraform is in.

checkov -f main.tf

Results

It's that simple. As you can see Checkov runs and it notes that there were 8 failed checks including Public read access enabled. If you click on the link it will take you to a guide which explains the failure in more details and teaches you how to fix it.

Checkov checks for all common configuration and security errors in your Terraform code BEFORE deploying it. Anytime you download a Terraform script to execute in your environment, you will want to run Checkov to make sure that it meets your standards for configuration.

In the next blog, wrapping up this series, we will be checking a Terraform configuration file for issues with Checkov, deploying it to Azure, and using the open source tool Prowler to perform a security best practices assessment of your Azure environment. The report generated can be used to present to small and medium sized businesses with your recommendations for remediation.

You will now be able to create a gig on Fiverr or Upwork or the likes and conduct low-cost cloud security assessments and remember to continue your education to pass the Terraform Associate exam.

Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and also CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, four online courses, and regularly holds webinars for new cybersecurity talent.

You can connect with him on LinkedIn.

To view my dozens of courses, visit my homepage and watch the trailers!

Become a Black Badge member of Cyber NOW® and enjoy all-access for life.

Check out my latest book, Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success, winner of the 2024 Cybersecurity Excellence Awards.