BIPI
BIPI

Terraform and IaC Pentesting: tfstate Theft, Provider Backdoors, Drift Abuse

Cloud Security

Terraform creates infrastructure and also creates a new attack surface. We cover tfstate exfil, provider backdoors, and the operational misuse of drift.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 17, 2024 · 11 min read

#terraform#iac#pentesting#supply-chain#devsecops

Infrastructure as Code centralizes power. The same Terraform run that deploys a load balancer also rotates production database passwords, creates IAM roles, and writes a state file that contains every secret it touched. Attackers have noticed.

tfstate as a treasure map

Terraform state files are plain JSON unless explicitly encrypted, and they contain provider configuration, resource attributes, and often raw secrets like database passwords and TLS private keys. A compromised state backend, whether S3, GCS, Azure Blob, or Terraform Cloud, is a complete inventory plus credentials for the environment it manages.

  • S3 backend without bucket-level Block Public Access and KMS encryption
  • Local state checked into a private repo that turns public during a misconfig
  • Terraform Cloud workspaces with overly broad team access to state
  • State files copied to engineers' laptops for debugging and never deleted

Malicious providers and modules

Terraform providers are arbitrary Go binaries downloaded from the registry and executed during plan and apply. A typosquat or compromised provider can exfiltrate every variable, every credential, and every plan output. Modules from the public registry have the same risk at the HCL level: a module can introduce resources you did not intend, including IAM bindings, with names you do not scrutinize.

  1. Pin provider versions with strict constraints and verify with required_providers source
  2. Pin module sources to specific commits, not branches or tags that can move
  3. Mirror providers and modules through an internal registry rather than the public one
  4. Review provider release notes before bumping versions in production workspaces

Drift abuse

If an attacker can make changes in the cloud console that Terraform does not reconcile, the changes survive between applies. A quiet IAM role added out of band is reverted only if someone notices drift. Most teams run drift detection weekly at best, which is plenty of time for an attacker to use and remove the backdoor before reconciliation.

CI integration weaknesses

  • Long-lived cloud credentials in CI variables instead of OIDC-issued short-lived tokens
  • Plan output uploaded as a public artifact, revealing resource graphs and sometimes secrets
  • Atlantis or similar self-hosted apply tools with weak webhook authentication
  • Approval gates that approve plan output but apply a different plan due to race conditions
Your tfstate is a credentialed map of your cloud. If it is in S3 without encryption and bucket policies, it is a breach waiting for a wget.

Detection

  1. CloudTrail or audit logs for GetObject on the state backend from unexpected principals
  2. Plan diff inspection in CI, alerting on new IAM bindings or new public exposure
  3. Drift detection on a schedule with alerting on out-of-band changes
  4. Provider hash verification in CI, comparing downloaded binaries to known good

Remediation

  1. Encrypt state at rest with customer-managed KMS keys and restrict decrypt to the CI role
  2. Use Terraform Cloud or Atlantis with OIDC-issued cloud credentials per workspace
  3. Run terraform plan inside isolated short-lived runners, not on developer laptops
  4. Adopt checkov or tfsec in CI for static analysis of the HCL itself
  5. Pin provider and module versions and mirror them through a private registry
  6. Schedule drift detection daily and alert humans on unexpected diffs
12%
of state files we have audited contained at least one plaintext secret
Weekly
average drift detection frequency, which is too slow for active intrusions

Closing

Terraform is a force multiplier, which means a compromised IaC pipeline is also a force multiplier. The state backend, the provider chain, and the CI runner together form a single attack surface. Harden all three, or accept that your fastest path to cloud admin runs through your DevOps team's GitHub repo.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.