Infrastructure-as-Code (IaC) Security
What is Infrastructure-as-Code (IaC) Security?
Infrastructure-as-Code (IaC) SecurityThe discipline of scanning, policy-checking, and securing IaC templates (Terraform, OpenTofu, Pulumi, CloudFormation, Helm, Kubernetes manifests) before they provision misconfigured cloud resources.
Infrastructure-as-Code (IaC) security treats declarative provisioning templates as a primary security artifact: most cloud misconfigurations now originate not from manual console edits but from Terraform, OpenTofu, Pulumi, AWS CloudFormation, Bicep, Helm, or raw Kubernetes manifests committed to a repo and applied by CI. Programs combine static analysis tools (Checkov, KICS, tfsec, Terrascan, Snyk IaC, Trivy config-scan), policy-as-code engines that enforce rules at plan-time (OPA/Rego, Conftest, HashiCorp Sentinel, Checkmarx Cloudguard, Wiz Code), drift-detection comparing live state to source-of-truth, and secret scanners that block hard-coded credentials in `.tf` and `values.yaml`. Increasingly, IaC security extends 'left' into developer workflows (IDE plugins, pre-commit hooks) and 'right' into runtime correlation (proving the deployed S3 bucket matches the reviewed module). Common findings include public S3 buckets, over-broad IAM `*`, missing encryption-at-rest, security groups open to 0.0.0.0/0, and Kubernetes pods running as root.
● Examples
- 01
A pull-request CI step runs Checkov against the Terraform plan and blocks a merge that would create an S3 bucket without server-side encryption.
- 02
An OPA policy denies any Kubernetes manifest that mounts the Docker socket or runs with `privileged: true`.
● Frequently asked questions
What is Infrastructure-as-Code (IaC) Security?
The discipline of scanning, policy-checking, and securing IaC templates (Terraform, OpenTofu, Pulumi, CloudFormation, Helm, Kubernetes manifests) before they provision misconfigured cloud resources. It belongs to the Cloud Security category of cybersecurity.
What does Infrastructure-as-Code (IaC) Security mean?
The discipline of scanning, policy-checking, and securing IaC templates (Terraform, OpenTofu, Pulumi, CloudFormation, Helm, Kubernetes manifests) before they provision misconfigured cloud resources.
How does Infrastructure-as-Code (IaC) Security work?
Infrastructure-as-Code (IaC) security treats declarative provisioning templates as a primary security artifact: most cloud misconfigurations now originate not from manual console edits but from Terraform, OpenTofu, Pulumi, AWS CloudFormation, Bicep, Helm, or raw Kubernetes manifests committed to a repo and applied by CI. Programs combine static analysis tools (Checkov, KICS, tfsec, Terrascan, Snyk IaC, Trivy config-scan), policy-as-code engines that enforce rules at plan-time (OPA/Rego, Conftest, HashiCorp Sentinel, Checkmarx Cloudguard, Wiz Code), drift-detection comparing live state to source-of-truth, and secret scanners that block hard-coded credentials in `.tf` and `values.yaml`. Increasingly, IaC security extends 'left' into developer workflows (IDE plugins, pre-commit hooks) and 'right' into runtime correlation (proving the deployed S3 bucket matches the reviewed module). Common findings include public S3 buckets, over-broad IAM `*`, missing encryption-at-rest, security groups open to 0.0.0.0/0, and Kubernetes pods running as root.
How do you defend against Infrastructure-as-Code (IaC) Security?
Defences for Infrastructure-as-Code (IaC) Security typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Infrastructure-as-Code (IaC) Security?
Common alternative names include: IaC scanning, Policy-as-Code for IaC, Terraform security.
● Related terms
- cloud-security№ 209
Cloud Misconfiguration
A security gap caused by incorrect or insecure settings of cloud services, such as exposed storage, weak IAM policies, or open management ports.
- cloud-security№ 280
CSPM (Cloud Security Posture Management)
A category of tools that continuously assess cloud accounts against best-practice and compliance baselines to detect and remediate misconfigurations.
- cloud-security№ 939
Policy as Code
The practice of defining security, compliance, and governance rules in machine-readable code so they can be versioned, tested, reviewed, and automatically enforced.
- cloud-security№ 848
OPA (Open Policy Agent)
A CNCF-graduated, general-purpose policy engine that decouples authorization decisions from applications and Kubernetes admission control using the Rego language.
- cloud-security№ 1103
Security as Code
The practice of expressing security controls, tests, and infrastructure in source code so they are versioned, peer-reviewed, automated, and continuously delivered alongside applications.
- appsec№ 1145
Shift-Left Security
The practice of moving security activities earlier in the software lifecycle so vulnerabilities are found and fixed before code reaches production.