DeepSec 2023 Training: Terraform: Infrastructure as Remote Code Execution – Michael McCabe

Sanna/ October 2, 2023/ Conference

This workshop will focus on ways to abuse the use of Terraform to elevate privileges, expose data, and gain further footholds in environments from a developer’s perspective. We’ll cover the common uses of Terraform and how a malicious actor could abuse Terraform. This talk will include multiple demos.

We asked Michael a few more questions about his training.

Please tell us the top 5 facts about your training.

  1. It will be very hands-on and great for folks that aren’t familiar with Terraform or have some experience.
  2. People will start with basic Terraform implementations in the cloud (AWS) and move up to more complex scenarios.
  3. We’ll cover multiple ways to hack via Terraform pipelines.
  4. You’ll learn how to use tools to prevent these abuses.
  5. You’ll have access to the lab code and can continue working with it after the training!

How did you come up with it? Was there something like an initial
spark that set your mind on creating this training?

This training came out of projects we’ve worked on with clients. The ideas and issues we talk about come from real-world projects that faced them. We wanted to share both the good and bad of Terraform security and how security teams should think about it.

Why do you think this is an important topic?

Infrastructure as code and Terraform in particular, are becoming more and more popular. The tools offer a great deal of flexibility and power to developers but security teams need to understand the impacts of using them. If you’re a red teamer, you can learn about how to abuse Terraform. If you’re a blue teamer, you can learn how to defend against attacks against Terraform.

Is there something you want everybody to know – some good advice for
our readers maybe?

Even if you don’t deal with cloud platforms day to day, you will eventually and you can learn more about infrastructure as code during the training!

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your workshop in particular?

I think we’ll see more and more use of infrastructure as code tools in the future. They’ll present as ways for security teams to better integrate security into pipelines to prevent misconfigurations and ways for attackers to gain more of a foothold.


Michael McCabe is the president of Cloud Security Partners. He has released dozens of talks about various security research projects and client work. He is the OWASP Chapter lead for OWASP Northern Viriginia. He is one of the maintainers of OWASP Railsgoat.


Share this Post