Singh, Rashika, Yeboah-Ofori, Abel ORCID: https://orcid.org/0000-0001-8055-9274, Kumar, Saurabh and Ganiyu, Aishat
(2025)
Fortifying Cloud DevSecOps Security using Terraform
Infrastructure as Code Analysis Tools.
In: 2024 International Conference on Electrical and Computer Engineering Researches (ICECER), 04-06 Dec 2024, Gaborone, Botswana.
Abstract
Fortifying Cloud Security has become inevitable due to challenges such as misconfigurations, coding errors, and compromised secrets or passwords that impact infrastructure as a service during infrastructure such as code automation (IaC). These challenges require code analysis tools to enhance security during infrastructure automation. Setting up a simple cloud architecture is quick, but human errors are still common, especially when cloud infrastructure can be deployed with just a few clicks. Terraform provides a ready-made infrastructure as code modules to build and scale cloud-hosted applications. However, cyber attackers exploit these vulnerabilities and gain access to sensitive data or resources without authorization due to configuration errors, inadequate storage, and infrastructure manipulation, resulting in unauthorized deployments or alterations. That affects the availability of resources during infrastructure deployment using attacks such as DoS attacks, injection attacks, Man in the Middle (MITM), malware spread, remote code execution (RCE), and phishing attacks to penetrate the cloud infrastructures. The paper aims to analyze Terraforms infrastructure as code in cloud security to fortify codes and assist DevSecOps engineers in identifying misconfiguration in Terraform scripts. The paper's contributions are threefold. First, we explore cloud security by securing IaC solutions on Terraform. We consider security issues, including misconfigurations and coding errors, present in Terraform IaC. Secondly, we implement a static analysis tool for terraform by comparatively analyzing existing tools. Finally, we provide a comparative analysis of terraform IaC on tools including Checkov, Tfsec, Tflint, and Terrascan for suitability based on their key features and performance metrics to enhance security.
Item Type: | Conference or Workshop Item (Paper) |
---|---|
ISBN: | 9798331539733 |
Identifier: | 10.1109/ICECER62944.2024.10920371 |
Identifier: | 10.1109/ICECER62944.2024.10920371 |
Subjects: | Computing > Information security > Cyber security Computing > Information security Computing > Intelligent systems |
Related URLs: | |
Depositing User: | Abel Yeboah-Ofori |
Date Deposited: | 24 Mar 2025 08:34 |
Last Modified: | 24 Mar 2025 08:34 |
URI: | https://repository.uwl.ac.uk/id/eprint/13358 | Sustainable Development Goals: | Goal 9: Industry, Innovation, and Infrastructure |
Actions (login required)
![]() |
View Item |