gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-12 07:40:49 -08:00
Code Issues Packages Projects Releases Wiki Activity

Update terraform-security.md

Browse Source
This commit is contained in:
SirBroccoli
2025-08-19 17:22:04 +02:00
committed by GitHub
parent c76cc24a59
commit 3ff0c8a86f
1 changed files with 0 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/pentesting-ci-cd/terraform-security.md
View File

@@ -304,14 +304,6 @@ With these creds, attackers can create/modify/destroy resources directly using n
- Prefer OIDC/WIF over static cloud credentials; treat runners as sensitive. Monitor speculative plan runs and unexpected egress.
- Detect exfiltration of `tfc-*` credential artifacts and alert on suspicious `external` program usage during plans.
Useful references:
- Permissions: https://developer.hashicorp.com/terraform/cloud-docs/users-teams-organizations/permissions
- Show workspace API: https://developer.hashicorp.com/terraform/cloud-docs/api-docs/workspaces#show-workspace
- AWS provider configuration: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#provider-configuration
- AWS CLI OIDC role: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-configure-role-oidc
- GCP provider with TFC: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference.html#using-terraform-cloud
- Sensitive variables: https://developer.hashicorp.com/terraform/tutorials/configuration-language/sensitive-variables
- Prior art on plan-time RCE: https://alex.kaskaso.li/post/terraform-plan-rce and https://labs.snyk.io/resources/gitflops-dangers-of-terraform-automation-platforms/
## Automatic Audit Tools