SlideShare ist ein Scribd-Unternehmen logo
1 von 22
Downloaden Sie, um offline zu lesen
DevSecOps, IaC Drift &
Driftctl
Stackconf 2021, June 16th
Agenda
● Learning from IaC users (causes, consequences, solutions)
● Stories & Live Demos
● Q&A
Story
● ❤️ GitOps
● 🥰Users
● 😱 Drift
TL;DR
Almost everyone has experienced infrastructure drift recently.
There's security implications to not knowing about drifts.
We built driftctl to help.
whoami
Stephane Jourdan:
● @sjourdan (Twitter, GitHub, GitLab,…)
● 20 years (Dev)Ops
● Co-founded 3 tech companies (🇨🇦 | 🇪🇺) and 1 sound studio.
● “Infrastructure-as-Code Cookbook” author
● Driftctl tool co-founder! cloudskiff/driftctl
Definition
Infrastructure Drift / ˈɪn frəˌstrʌk tʃər drɪft /
Noun
1. happens when the reality and the expectations don’t match.
Synonyms for Infrastructure Drift
1. omg
drift?
AWS account
Expected state Actual state
Diff?
© @christophetd
Understanding drift
Infrastructure As Code
Managed resources
Unmanaged resources
Cloud Infrastructure
Bash scripts
Manual changes via the AWS console
That one product you can only deploy
with CloudFormation
Lambda functions dynamically
creating/updating
infrastructure
Why is it so important?
➔ Companies are massively adopting
infrastructure automation
➔ Drift is a blind spot for DevSecOps
➔ Drift introduces compliance and
security issues
➔ Parity between code and cloud is a
prerequisite to shifting security to the
left (moving security sooner in the
development process)
Blind Spots
How can you know about misconfigurations
If you don't even know about existing resources?
Stories!
How a simple lambda with read-only access ended
up with rogue Administrative access and keys
- without anyone noticing
Quick AWS IAM Story
How someone opened up everything to anyone on
IPv4 & IPv6
- without anyone noticing
Quick AWS Security Group Story
How a scripting issue created a billing nightmare
- With only billing noticing
Quick AWS S3 Story
$ driftctl scan --output json://./output.json
$ jq '.coverage' < output.json
75
JSON Output
$ driftctl scan --filter "Type=='aws_security_group_rule'"
Scanning resources: ⣯ (51)
Found unmanaged resources:
aws_security_group_rule:
- Type: ingress, SecurityGroup: sg-00c1621e81e5b17c1, Protocol: All,
Ports: All, Source: 0.0.0.0/0
Driftctl Filters
$ head .driftignore
aws_iam_user.terraform
[...]
$ driftctl gen-driftignore
Driftctl Ignore
Show GitOps ❤️
- Circle CI Orb
- GitHub Action
- Gitlab CI
- ...
CI Integration
driftctl
Our own open-source solution for drift management
■ AWS & GitHub Support (more to come)
■ Terraform State support (local/S3/HTTP)
■ Filtering & Ignore support
■ Written in Go
■ Apache 2.0 License
cloudskiff/driftctl driftctl.com/d
TL;DR (Closing)
Almost everyone has experienced infrastructure drift recently.
We built driftctl to help.
driftctl
Our own open-source solution for drift management
Why
- Even the best teams didn’t automate everything
- Scripts / Lambdas / Microservices are authenticated
- Customers and bosses do exist (with admin credentials)

Weitere ähnliche Inhalte

Was ist angesagt?

DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...
DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...
DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...Icinga
 
5 Kubernetes Security Tools You Should Use
5 Kubernetes Security Tools You Should Use5 Kubernetes Security Tools You Should Use
5 Kubernetes Security Tools You Should UseDevOps.com
 
CWIN17 london becoming cloud native part 2 - guy martin docker
CWIN17 london   becoming cloud native part 2 - guy martin dockerCWIN17 london   becoming cloud native part 2 - guy martin docker
CWIN17 london becoming cloud native part 2 - guy martin dockerCapgemini
 
Image Scanning Best Practices for Containers and Kubernetes
Image Scanning Best Practices for Containers and KubernetesImage Scanning Best Practices for Containers and Kubernetes
Image Scanning Best Practices for Containers and KubernetesDevOps.com
 
Edge Orchestration & Federated Kubernetes Clusters - Open Networking Summit 2018
Edge Orchestration & Federated Kubernetes Clusters - Open Networking Summit 2018Edge Orchestration & Federated Kubernetes Clusters - Open Networking Summit 2018
Edge Orchestration & Federated Kubernetes Clusters - Open Networking Summit 2018Cloudify Community
 
Running a Cost-Effective DynamoDB-Compatible Database on Managed Kubernetes S...
Running a Cost-Effective DynamoDB-Compatible Database on Managed Kubernetes S...Running a Cost-Effective DynamoDB-Compatible Database on Managed Kubernetes S...
Running a Cost-Effective DynamoDB-Compatible Database on Managed Kubernetes S...DevOps.com
 
cncf overview and building edge computing using kubernetes
cncf overview and building edge computing using kubernetescncf overview and building edge computing using kubernetes
cncf overview and building edge computing using kubernetesKrishna-Kumar
 
StampedeCon 2015 Keynote
StampedeCon 2015 KeynoteStampedeCon 2015 Keynote
StampedeCon 2015 KeynoteKen Owens
 
Compass digital ocean’s customer advisory group 2021_10
Compass digital ocean’s customer advisory group 2021_10Compass digital ocean’s customer advisory group 2021_10
Compass digital ocean’s customer advisory group 2021_10Pierre Mavro
 
Enabling Microservices Frameworks to Solve Business Problems
Enabling Microservices Frameworks to Solve  Business ProblemsEnabling Microservices Frameworks to Solve  Business Problems
Enabling Microservices Frameworks to Solve Business ProblemsKen Owens
 
Cloud Automation with ProActive
Cloud Automation with ProActiveCloud Automation with ProActive
Cloud Automation with ProActiveBrian AMEDRO
 
Application Centric Microservices Architecture
Application Centric Microservices ArchitectureApplication Centric Microservices Architecture
Application Centric Microservices ArchitectureKen Owens
 
From Community to Enterprise and Back Again! Chris Wright, Red Hat
From Community to Enterprise and Back Again! Chris Wright, Red HatFrom Community to Enterprise and Back Again! Chris Wright, Red Hat
From Community to Enterprise and Back Again! Chris Wright, Red HatOpenStack
 
Cloud Native Summit 2019 Summary
Cloud Native Summit 2019 SummaryCloud Native Summit 2019 Summary
Cloud Native Summit 2019 SummaryEverett Toews
 
Dynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesDynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesMitchell Pronschinske
 
KubeCon + CloudNativeCon Barcelona and Shanghai 2019 - Highlights
KubeCon + CloudNativeCon Barcelona and Shanghai 2019 - HighlightsKubeCon + CloudNativeCon Barcelona and Shanghai 2019 - Highlights
KubeCon + CloudNativeCon Barcelona and Shanghai 2019 - HighlightsKrishna-Kumar
 
APIdays Paris 2018 - From real-life challenges to industrial IoT solutions, i...
APIdays Paris 2018 - From real-life challenges to industrial IoT solutions, i...APIdays Paris 2018 - From real-life challenges to industrial IoT solutions, i...
APIdays Paris 2018 - From real-life challenges to industrial IoT solutions, i...apidays
 
APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...
APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...
APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...apidays
 
The Future of Energy - Decentral energy distribution in a digital world
The Future of Energy - Decentral energy distribution in a digital worldThe Future of Energy - Decentral energy distribution in a digital world
The Future of Energy - Decentral energy distribution in a digital worldEficode
 

Was ist angesagt? (20)

DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...
DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...
DevOps monitoring: Best Practices using OpenShift combined with Icinga & Big ...
 
5 Kubernetes Security Tools You Should Use
5 Kubernetes Security Tools You Should Use5 Kubernetes Security Tools You Should Use
5 Kubernetes Security Tools You Should Use
 
CWIN17 london becoming cloud native part 2 - guy martin docker
CWIN17 london   becoming cloud native part 2 - guy martin dockerCWIN17 london   becoming cloud native part 2 - guy martin docker
CWIN17 london becoming cloud native part 2 - guy martin docker
 
Image Scanning Best Practices for Containers and Kubernetes
Image Scanning Best Practices for Containers and KubernetesImage Scanning Best Practices for Containers and Kubernetes
Image Scanning Best Practices for Containers and Kubernetes
 
Edge Orchestration & Federated Kubernetes Clusters - Open Networking Summit 2018
Edge Orchestration & Federated Kubernetes Clusters - Open Networking Summit 2018Edge Orchestration & Federated Kubernetes Clusters - Open Networking Summit 2018
Edge Orchestration & Federated Kubernetes Clusters - Open Networking Summit 2018
 
Running a Cost-Effective DynamoDB-Compatible Database on Managed Kubernetes S...
Running a Cost-Effective DynamoDB-Compatible Database on Managed Kubernetes S...Running a Cost-Effective DynamoDB-Compatible Database on Managed Kubernetes S...
Running a Cost-Effective DynamoDB-Compatible Database on Managed Kubernetes S...
 
Intro - Cloud Native
Intro - Cloud NativeIntro - Cloud Native
Intro - Cloud Native
 
cncf overview and building edge computing using kubernetes
cncf overview and building edge computing using kubernetescncf overview and building edge computing using kubernetes
cncf overview and building edge computing using kubernetes
 
StampedeCon 2015 Keynote
StampedeCon 2015 KeynoteStampedeCon 2015 Keynote
StampedeCon 2015 Keynote
 
Compass digital ocean’s customer advisory group 2021_10
Compass digital ocean’s customer advisory group 2021_10Compass digital ocean’s customer advisory group 2021_10
Compass digital ocean’s customer advisory group 2021_10
 
Enabling Microservices Frameworks to Solve Business Problems
Enabling Microservices Frameworks to Solve  Business ProblemsEnabling Microservices Frameworks to Solve  Business Problems
Enabling Microservices Frameworks to Solve Business Problems
 
Cloud Automation with ProActive
Cloud Automation with ProActiveCloud Automation with ProActive
Cloud Automation with ProActive
 
Application Centric Microservices Architecture
Application Centric Microservices ArchitectureApplication Centric Microservices Architecture
Application Centric Microservices Architecture
 
From Community to Enterprise and Back Again! Chris Wright, Red Hat
From Community to Enterprise and Back Again! Chris Wright, Red HatFrom Community to Enterprise and Back Again! Chris Wright, Red Hat
From Community to Enterprise and Back Again! Chris Wright, Red Hat
 
Cloud Native Summit 2019 Summary
Cloud Native Summit 2019 SummaryCloud Native Summit 2019 Summary
Cloud Native Summit 2019 Summary
 
Dynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesDynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD Pipelines
 
KubeCon + CloudNativeCon Barcelona and Shanghai 2019 - Highlights
KubeCon + CloudNativeCon Barcelona and Shanghai 2019 - HighlightsKubeCon + CloudNativeCon Barcelona and Shanghai 2019 - Highlights
KubeCon + CloudNativeCon Barcelona and Shanghai 2019 - Highlights
 
APIdays Paris 2018 - From real-life challenges to industrial IoT solutions, i...
APIdays Paris 2018 - From real-life challenges to industrial IoT solutions, i...APIdays Paris 2018 - From real-life challenges to industrial IoT solutions, i...
APIdays Paris 2018 - From real-life challenges to industrial IoT solutions, i...
 
APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...
APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...
APIdays Paris 2018 - Cloud computing - we went through every steps of the Gar...
 
The Future of Energy - Decentral energy distribution in a digital world
The Future of Energy - Decentral energy distribution in a digital worldThe Future of Energy - Decentral energy distribution in a digital world
The Future of Energy - Decentral energy distribution in a digital world
 

Ähnlich wie stackconf 2021 | Why you should take care of infrastructure drift

AWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast ForwardAWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast ForwardShuen-Huei Guan
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONMicroservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONAdrian Cockcroft
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureCloudVillage
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
 
Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...
Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...
Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...Henning Jacobs
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!treyka
 
FOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & DriftctlFOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & DriftctlStephane Jourdan
 
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...VISEO
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersJavan Rasokat
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Briefopenfly
 
Hashitalks 2021 Infrastructure Drift & Driftctl
Hashitalks 2021 Infrastructure Drift & Driftctl Hashitalks 2021 Infrastructure Drift & Driftctl
Hashitalks 2021 Infrastructure Drift & Driftctl Stephane Jourdan
 
Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)Yan Cui
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ -  Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ -  Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
Serverless in production, an experience report
Serverless in production, an experience reportServerless in production, an experience report
Serverless in production, an experience reportYan Cui
 
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...DevOpsDays Tel Aviv
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...Demi Ben-Ari
 
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...Codemotion
 
Cloud State of the Union for Java Developers
Cloud State of the Union for Java DevelopersCloud State of the Union for Java Developers
Cloud State of the Union for Java DevelopersBurr Sutter
 
Scalable Open-Source IoT Solutions on Microsoft Azure
Scalable Open-Source IoT Solutions on Microsoft AzureScalable Open-Source IoT Solutions on Microsoft Azure
Scalable Open-Source IoT Solutions on Microsoft AzureMaxim Ivannikov
 

Ähnlich wie stackconf 2021 | Why you should take care of infrastructure drift (20)

AWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast ForwardAWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast Forward
 
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCONMicroservices Application Tracing Standards and Simulators - Adrians at OSCON
Microservices Application Tracing Standards and Simulators - Adrians at OSCON
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
 
Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...
Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...
Why we don’t use the Term DevOps: the Journey to a Product Mindset - Destinat...
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!
 
FOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & DriftctlFOSDEM 2021 - Infrastructure as Code Drift & Driftctl
FOSDEM 2021 - Infrastructure as Code Drift & Driftctl
 
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
What’s new in Microsoft ALM 2013, hosted in Windows Azure, VISUAL STUDIO ONLI...
 
OWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA TestersOWASP ZAP Workshop for QA Testers
OWASP ZAP Workshop for QA Testers
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
 
Hashitalks 2021 Infrastructure Drift & Driftctl
Hashitalks 2021 Infrastructure Drift & Driftctl Hashitalks 2021 Infrastructure Drift & Driftctl
Hashitalks 2021 Infrastructure Drift & Driftctl
 
Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)Serverless in production, an experience report (FullStack 2018)
Serverless in production, an experience report (FullStack 2018)
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ -  Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ -  Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
Serverless in production, an experience report
Serverless in production, an experience reportServerless in production, an experience report
Serverless in production, an experience report
 
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
 
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
 
Cloud State of the Union for Java Developers
Cloud State of the Union for Java DevelopersCloud State of the Union for Java Developers
Cloud State of the Union for Java Developers
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
Scalable Open-Source IoT Solutions on Microsoft Azure
Scalable Open-Source IoT Solutions on Microsoft AzureScalable Open-Source IoT Solutions on Microsoft Azure
Scalable Open-Source IoT Solutions on Microsoft Azure
 

Kürzlich hochgeladen

Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmuxevmux96
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfICS
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...drm1699
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdftimtebeek1
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksJinanKordab
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024MulesoftMunichMeetup
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024SimonedeGijt
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Maxim Salnikov
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Lisi Hocke
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate  AI Earns First Commission in 3 Hours..pdfAuto Affiliate  AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdfSelfMade bd
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfkalichargn70th171
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMarkus Moeller
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop -  Architecting Innovative Graph Applications- GraphSummit MilanWorkshop -  Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanNeo4j
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletAndrea Goulet
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Flutter Agency
 

Kürzlich hochgeladen (20)

Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmux
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
Abortion Pill Prices Turfloop ](+27832195400*)[ 🏥 Women's Abortion Clinic in ...
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
Team Transformation Tactics for Holistic Testing and Quality (NewCrafts Paris...
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate  AI Earns First Commission in 3 Hours..pdfAuto Affiliate  AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
 
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop -  Architecting Innovative Graph Applications- GraphSummit MilanWorkshop -  Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
Abortion Clinic In Springs ](+27832195400*)[ 🏥 Safe Abortion Pills in Springs...
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
 

stackconf 2021 | Why you should take care of infrastructure drift

  • 1. DevSecOps, IaC Drift & Driftctl Stackconf 2021, June 16th
  • 2. Agenda ● Learning from IaC users (causes, consequences, solutions) ● Stories & Live Demos ● Q&A
  • 3. Story ● ❤️ GitOps ● 🥰Users ● 😱 Drift
  • 4. TL;DR Almost everyone has experienced infrastructure drift recently. There's security implications to not knowing about drifts. We built driftctl to help.
  • 5. whoami Stephane Jourdan: ● @sjourdan (Twitter, GitHub, GitLab,…) ● 20 years (Dev)Ops ● Co-founded 3 tech companies (🇨🇦 | 🇪🇺) and 1 sound studio. ● “Infrastructure-as-Code Cookbook” author ● Driftctl tool co-founder! cloudskiff/driftctl
  • 6. Definition Infrastructure Drift / ˈɪn frəˌstrʌk tʃər drɪft / Noun 1. happens when the reality and the expectations don’t match. Synonyms for Infrastructure Drift 1. omg
  • 7. drift? AWS account Expected state Actual state Diff? © @christophetd
  • 8. Understanding drift Infrastructure As Code Managed resources Unmanaged resources Cloud Infrastructure Bash scripts Manual changes via the AWS console That one product you can only deploy with CloudFormation Lambda functions dynamically creating/updating infrastructure
  • 9. Why is it so important? ➔ Companies are massively adopting infrastructure automation ➔ Drift is a blind spot for DevSecOps ➔ Drift introduces compliance and security issues ➔ Parity between code and cloud is a prerequisite to shifting security to the left (moving security sooner in the development process)
  • 10. Blind Spots How can you know about misconfigurations If you don't even know about existing resources?
  • 12. How a simple lambda with read-only access ended up with rogue Administrative access and keys - without anyone noticing Quick AWS IAM Story
  • 13. How someone opened up everything to anyone on IPv4 & IPv6 - without anyone noticing Quick AWS Security Group Story
  • 14. How a scripting issue created a billing nightmare - With only billing noticing Quick AWS S3 Story
  • 15. $ driftctl scan --output json://./output.json $ jq '.coverage' < output.json 75 JSON Output
  • 16. $ driftctl scan --filter "Type=='aws_security_group_rule'" Scanning resources: ⣯ (51) Found unmanaged resources: aws_security_group_rule: - Type: ingress, SecurityGroup: sg-00c1621e81e5b17c1, Protocol: All, Ports: All, Source: 0.0.0.0/0 Driftctl Filters
  • 17. $ head .driftignore aws_iam_user.terraform [...] $ driftctl gen-driftignore Driftctl Ignore
  • 18. Show GitOps ❤️ - Circle CI Orb - GitHub Action - Gitlab CI - ... CI Integration
  • 19. driftctl Our own open-source solution for drift management ■ AWS & GitHub Support (more to come) ■ Terraform State support (local/S3/HTTP) ■ Filtering & Ignore support ■ Written in Go ■ Apache 2.0 License cloudskiff/driftctl driftctl.com/d
  • 20. TL;DR (Closing) Almost everyone has experienced infrastructure drift recently. We built driftctl to help.
  • 21. driftctl Our own open-source solution for drift management
  • 22. Why - Even the best teams didn’t automate everything - Scripts / Lambdas / Microservices are authenticated - Customers and bosses do exist (with admin credentials)