Infrastructure as Code (IaC)

About

Infrastructure as Code (IaC) is the practice of managing and provisioning infrastructure with machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. It's a key practice in DevOps and is used in conjunction with cloud computing.

When it comes to security, IaC can both help and pose challenges.

IaC is a powerful tool for managing infrastructure, and it can significantly enhance security when used properly. However, it requires careful management to avoid introducing new security risks.

Tools

• Aqua tfsec (web): a static analysis security scanner for your Terraform code.

• Tenable terrascan (web): Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

• Bridgecrew Checkov (web): prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages.

• Regula (web): checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego.

• Terraform Compliance (web): is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.

• Checkmarx kics (web): keeping infrastructure as code secure is an open source solution for static code analysis of Infrastructure as Code.

• Stelligent Cfn Nag: looks for patterns in CloudFormation templates that may indicate insecure infrastructure.

• ggshield (GitGuardian): find and fix hardcoded secrets and infrastructure-as-code misconfigurations.

• Ansible lint (web): ansible-lint checks playbooks for practices and behavior that could potentially be improved.