Infrastructure Security

Infrastructure Security: Protecting Your Digital Castle

The Story of the Three Security Guards

Imagine your software is a magical castle. Every day, visitors (code) come and go. But here’s the problem: bad guys want to sneak in!

You need three special guards to keep your castle safe:

1. The Secret Keeper - Guards all passwords and keys
2. The Container Inspector - Checks every box entering the castle
3. The Blueprint Checker - Makes sure building plans are safe

Let’s meet each guard!

Guard 1: The Secret Keeper (Secrets Management)

What Are Secrets?

Think of secrets like the keys to your house. You wouldn’t leave them under the doormat, right?

In software, secrets are:

• Passwords - Like your Netflix password
• API Keys - Special codes to talk to other services
• Certificates - Digital ID cards
• Tokens - Temporary passes

The Big Problem

# NEVER DO THIS!
password = "SuperSecret123"
api_key = "abc123xyz"

This is like writing your PIN on your credit card. Anyone who sees your code sees your secrets!

The Solution: Secret Vaults

A secret vault is like a super-secure safe. Your code asks the safe for secrets when needed.

graph TD
    A["Your App"] -->|Asks for secret| B["Secret Vault"]
    B -->|Gives secret safely| A
    C["Bad Guy"] -->|Cannot access| B

Popular Secret Keepers

How It Works: Simple Example

Without Vault (Bad):

# config.yaml - DANGEROUS!
database:
  password: "MyPassword123"

With Vault (Good):

# config.yaml - SAFE!
database:
  password: ${VAULT_DB_PASSWORD}

The real password lives in the vault, not your code!

Golden Rules

1. Never commit secrets to Git
2. Rotate secrets regularly (change them)
3. Use different secrets for dev/staging/prod
4. Limit access - only give secrets to who needs them

Guard 2: The Container Inspector (Container Security Scanning)

What Are Containers?

Containers are like shipping boxes for your software. They hold everything your app needs to run.

But what if someone hid something bad inside a box?

The Danger Inside

Containers can have:

• Old software with known problems
• Viruses hiding in packages
• Weak settings that hackers love

Container Scanning = X-Ray Machine

Just like airport security scans your luggage, we scan containers!

graph TD
    A["Container Image"] -->|Scan| B["Security Scanner"]
    B -->|Found Problems| C["Report"]
    C -->|Fix Issues| D["Safe Container"]
    B -->|No Problems| D

What Scanners Look For

Popular Container Scanners

• Trivy - Fast and free
• Snyk - Great for developers
• Clair - Works with any registry
• Aqua - Enterprise-grade

Real Example: Using Trivy

# Scan a container image
trivy image myapp:latest

Output might show:

CRITICAL: 2
HIGH:     5
MEDIUM:   10

CVE-2023-1234 | openssl | Upgrade to 3.0.8

When to Scan

graph TD
    A["Developer Builds"] -->|Scan| B{Problems?}
    B -->|Yes| C["Fix & Rebuild"]
    B -->|No| D["Push to Registry"]
    D -->|Scan Again| E{Problems?}
    E -->|Yes| F["Block Deployment"]
    E -->|No| G["Deploy Safely"]

Best Practices

1. Scan early - Check during development
2. Scan often - New vulnerabilities appear daily
3. Block bad images - Don’t deploy if critical issues exist
4. Use trusted bases - Start with official images

Guard 3: The Blueprint Checker (IaC Security Scanning)

What is IaC?

Infrastructure as Code means writing your servers and networks as code files.

Instead of clicking buttons to create a server:

# Create a server with code!
resource "aws_instance" "web" {
  ami           = "ami-123456"
  instance_type = "t2.micro"
}

Why Scan IaC?

Your blueprints might have mistakes:

• Databases open to the whole internet
• Storage buckets anyone can read
• Servers with no encryption

IaC Scanning = Blueprint Review

Before building a house, an inspector checks the plans. Same for infrastructure!

graph TD
    A["IaC Files"] -->|Scan| B["IaC Scanner"]
    B -->|Safe| C["Deploy Infrastructure"]
    B -->|Problems| D["Fix Code"]
    D -->|Scan Again| B

Common IaC Mistakes

Popular IaC Scanners

• Checkov - Covers many platforms
• tfsec - Focused on Terraform
• KICS - Works with everything
• Terrascan - Policy as code

Real Example: Using Checkov

Bad Terraform Code:

# S3 bucket - INSECURE!
resource "aws_s3_bucket" "data" {
  bucket = "my-bucket"
  acl    = "public-read"
}

Checkov Output:

Check: CKV_AWS_19
FAILED for resource: aws_s3_bucket.data
Guide: Ensure S3 bucket has
       encryption enabled

Fixed Code:

# S3 bucket - SECURE!
resource "aws_s3_bucket" "data" {
  bucket = "my-bucket"
}

resource "aws_s3_bucket_acl" "data" {
  bucket = aws_s3_bucket.data.id
  acl    = "private"
}

resource "aws_s3_bucket_encryption"
  "data" {
  bucket = aws_s3_bucket.data.id
  # Encryption config here
}

IaC Security Checklist

• [ ] No hardcoded secrets
• [ ] Encryption enabled everywhere
• [ ] Least privilege access
• [ ] Network restrictions in place
• [ ] Logging enabled
• [ ] Tags for tracking

Putting It All Together

The Complete Pipeline

graph TD
    A["Write Code"] -->|Push| B["Git Repository"]
    B -->|Trigger| C["CI/CD Pipeline"]
    C -->|Step 1| D["Secrets Check"]
    D -->|Step 2| E["Container Scan"]
    E -->|Step 3| F["IaC Scan"]
    F -->|All Pass| G["Deploy!"]
    D -->|Fail| H["Stop & Fix"]
    E -->|Fail| H
    F -->|Fail| H

Quick Reference

Remember

1. Secrets = Keep passwords in vaults, not code
2. Containers = Scan images for vulnerabilities
3. IaC = Check blueprints before building

You’re Now a Security Hero!

You learned how to protect your digital castle with three powerful guards:

• Secret Keeper hides your passwords safely
• Container Inspector checks every box for dangers
• Blueprint Checker reviews your plans before building

Your code is now safer, stronger, and smarter!

Next time you see a password in code or an unscanned container, you’ll know exactly what to do. You’ve got this!