Infrastructure-as-Code (IaC) Security.

The discipline of scanning, policy-checking, and securing IaC templates (Terraform, OpenTofu, Pulumi, CloudFormation, Helm, Kubernetes manifests) before they provision misconfigured cloud resources. Es gehört zur Kategorie Cloud-Sicherheit der Cybersicherheit.

The discipline of scanning, policy-checking, and securing IaC templates (Terraform, OpenTofu, Pulumi, CloudFormation, Helm, Kubernetes manifests) before they provision misconfigured cloud resources.

Infrastructure-as-Code (IaC) security treats declarative provisioning templates as a primary security artifact: most cloud misconfigurations now originate not from manual console edits but from Terraform, OpenTofu, Pulumi, AWS CloudFormation, Bicep, Helm, or raw Kubernetes manifests committed to a repo and applied by CI. Programs combine static analysis tools (Checkov, KICS, tfsec, Terrascan, Snyk IaC, Trivy config-scan), policy-as-code engines that enforce rules at plan-time (OPA/Rego, Conftest, HashiCorp Sentinel, Checkmarx Cloudguard, Wiz Code), drift-detection comparing live state to source-of-truth, and secret scanners that block hard-coded credentials in `.tf` and `values.yaml`. Increasingly, IaC security extends 'left' into developer workflows (IDE plugins, pre-commit hooks) and 'right' into runtime correlation (proving the deployed S3 bucket matches the reviewed module). Common findings include public S3 buckets, over-broad IAM `*`, missing encryption-at-rest, security groups open to 0.0.0.0/0, and Kubernetes pods running as root.

Schutzmaßnahmen gegen Infrastructure-as-Code (IaC) Security kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.

Übliche alternative Bezeichnungen: IaC scanning, Policy-as-Code for IaC, Terraform security.