docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon cloudposse

Add to FAQ: Are Cloud Posse Terraform Modules Secure?

Open osterman opened this issue 7 years ago • 0 comments

question

Including an externally-controlled terraform module as part of your infrastructure feels like a huge security concern. If a malicious actor somehow got write access to this repository they could add an instance to the module with their own SSH key and some startup script to report to a control server, then next time someone updates their infrastructure the hacker would have direct access to a host inside your network.

Might it be better to do something like:

  1. Fork the repo into your own namespace and use that git URL
  2. Copy the module source directly into your repo
  3. Add this repository as a submodule of your own (Least secure but still more secure as you have to manually update it)

answer

See: https://github.com/cloudposse/terraform-aws-dynamodb-autoscaler/issues/9

osterman avatar Dec 14 '18 22:12 osterman