AWS Partner Network (APN) Blog
How to Shift Left Security in Infrastructure as Code Using AWS CDK and Checkmarx KICS
By Mike Smythe, Global Tech Alliances Marketing Manager – Checkmarx
By Felix Berman, Sr. Solutions Architect – AWS
Checkmarx |
The combination of infrastructure as code (IaC) with “shift left” in application security is a cornerstone of modern software development, because it allows higher delivery velocity and improves security and reliability of the deployed workloads.
IaC automates provisioning and management of IT infrastructure through code, resembling the software development cycle. It helps eliminate manual, error-prone processes, and create consistency across environments, which in turn helps reduce maintenance costs and lower the risk of production issues.
Shift left in application security helps address security issues in code long before the software is released. It allows for early detection and prevention of cyber security threats.
In this post, we will explore the reasons and methods for integrating security and compliance shift left practices into IaC using AWS Cloud Development Kit (AWS CDK) and Checkmarx KICS (Keep Infrastructure as Code Secure).
AWS CDK is an open-source IaC development framework for defining AWS resources and provisioning processes. Rather than introducing its own grammar, CDK uses modern programming languages, making it a natural entry point for developers that build cloud applications.
KICS is an open-source project maintained by Checkmarx, an AWS Specialization Partner and AWS Marketplace Seller with the AWS Competencies in Security and DevOps. A leading application security provider, Checkmarx offers a comprehensive cloud-native suite of services that helps reduce risk across all components of modern software.
Validating IaC for Security and Compliance
Infrastructure as code is a part of application codebase responsible for defining cloud resources and securing access to them. Should there be security issues or misconfigurations in the IaC code, the deployment process could replicate those into the live infrastructure. This could potentially lead to security risks or deviations from compliance standards.
Implementation of secure and compliant coding practices in IaC helps mitigate the above mentioned scenario, and is therefore mandatory.
CDK Policy Validation
Recently, AWS released policy validation at synthesis time feature in the AWS Cloud Development Kit. This feature enables integration of policy-as-code tools that provide fast and actionable feedback about security or configuration issues, as defined by organizational policies.
Besides reducing the risk of cyber security threats, policy validations help increase development velocity.
Deployment attempts of CDK applications may fail due to violation of organizational policies enforced in the cloud environments. Failures of the deployment phase could impede your progress, so policy validations help you fix the compliance issues early in the development cycle and improve success rate of the deployment phase for your CDK applications.
Checkmarx KICS
Checkmarx KICS performs static code analysis to find security vulnerabilities, compliance issues, and infrastructure misconfigurations in IaC solutions, such as AWS CloudFormation, Terraform, Kubernetes, and more. It’s a popular open-source solution available under Apache 2.0 license, with more than 2.4 million downloads. The code is available on GitHub.
With the release of CDK policy validation feature, Checkmarx has teamed up with AWS and created the KICS CDK policy validation plugin. With this plugin, Checkmarx KICS is now available in the AWS CDK.
The KICS CDK plugin is a policy-as-code tool, which works with CDK applications written in JavaScript or TypeScript. The CDK invokes the plugin during the synthesis phase, in which the plugin scans your CDK code for vulnerabilities and misconfigurations. The plugin reports its findings in the CDK output at five different severity levels: trace, info, low, medium, and high.
Integration Walkthrough
Prerequisites
To follow the instructions in this walkthrough, you need a CDK application written in JavaScript or TypeScript. To create a CDK application, follow these instructions in the AWS CDK documentation.
If you do not want to follow the walkthrough hands-on, you can still benefit from reading this post without creating an example.
Installation
Assuming you have a CDK application written in JavaScript or TypeScript, all that’s needed to start using the KICS validation plugin is to add it as a dependency.
In the shell, in the main directory of you CDK application, run:
npm install @checkmarx/cdk-validator-kics
Usage in Code
Once installed, configure the plugin in the code where you instantiate the CDK App
object, as shown below:
Once you do that, every time CDK finishes to synthesize an AWS CloudFormation template, it triggers the KICS plugin automatically.
Running the Example
To demonstrate the validation during the synthesis phase, in the CDK application main directory, run:
cdk synth
Here’s an example of the plugin output, with the key parts highlighted in yellow:
Performing Policy Validations
Validation Report
-----------------
╔═══════════════════════════════════════╗
║ Plugin Report ║
║ Plugin: kics-cdk-validator-plugin ║
║ Version: N/A ║
║ Status: failure ║
╚═══════════════════════════════════════╝
(Violations)
S3 Bucket Without SSL In Write Actions (1 occurrences)
Severity: HIGH
Occurrences:
- Construct Path: ExampleStack/Bucket/Resource
- Template Path: cdk.out/ExampleStack.template.json
- Creation Stack:
└── ExampleStack (ExampleStack)
│ Construct: aws-cdk-lib.Stack
│ Library Version: 2.121.1
│ Location: Run with '--debug' to include location info
└── Bucket (ExampleStack/Bucket)
│ Construct: aws-cdk-lib.aws_s3.Bucket
│ Library Version: 2.121.1
│ Location: Run with '--debug' to include location info
└── Resource (ExampleStack/Bucket/Resource)
│ Construct: aws-cdk-lib.aws_s3.CfnBucket
│ Library Version: 2.121.1
│ Location: Run with '--debug' to include location info
- Resource ID: Bucket83908E77
- Template Locations:
> Resources.Bucket83908E77
Description: S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)
How to fix: https://docs.thinkwithwp.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
Rule Metadata:
Category: Encryption
QueryId: 38c64e76-c71e-4d92-a337-60174d1de1c9
Policy Validation Report Summary
╔═══════════════════════════╤═════════╗
║ Plugin │ Status ║
╟───────────────────────────┼─────────╢
║ kics-cdk-validator-plugin │ failure ║
╚═══════════════════════════╧═════════╝
Validation failed. See the validation report above for details
Subprocess exited with error 1
In the above example, the plugin reported one issue: S3 Bucket Without SSL in Write Actions. The output shows location of the issue occurrences (one occurrence in this case).
Next, the output contains the reason for the issue: S3 bucket should enforce encryption of data transfers using Secure Sockets Layer (SSL), and a link to relevant documentation (in this case, AWS CloudFormation User Guide) where you can find information that helps you fix the issue.
Note that if a plugin reports a medium or high severity finding, the CDK command fails.
Conclusion
In this post, we explained why it’s important to scan infrastructure as code (IaC) for security issues and misconfigurations, and explored how using scanner tools at an early stage enhances your security measures.
With a proactive approach, vulnerabilities and misconfigurations can be efficiently prevented, allowing you to detect and address potential security risks early in the lifecycle, thus mitigating the threat of these risks infiltrating your live infrastructure.
Finally, we showed how to start proactively securing your CDK code just in few steps by adding KICS CDK plugin to your CDK projects written in JavaScript or TypeScript.
To learn more about AWS CDK, policy validation, KICS, and Checkmarx:
- Get started with AWS CDK using TypeScript
- Policy validation in AWS CDK documentation
- GitHub repository of KICS CDK plugin
- GitHub repository of the KICS project
- Checkmarx website
Checkmarx – AWS Partner Spotlight
Checkmarx is an AWS Specialization Partner and leading application security provider offering a comprehensive cloud-native suite of services that helps reduce risk across all components of modern software.