Infrastructure-as-Code (IaC) Security.

The discipline of scanning, policy-checking, and securing IaC templates (Terraform, OpenTofu, Pulumi, CloudFormation, Helm, Kubernetes manifests) before they provision misconfigured cloud resources. Pertenece a la categoría de Seguridad en la nube en ciberseguridad.

The discipline of scanning, policy-checking, and securing IaC templates (Terraform, OpenTofu, Pulumi, CloudFormation, Helm, Kubernetes manifests) before they provision misconfigured cloud resources.

Infrastructure-as-Code (IaC) security treats declarative provisioning templates as a primary security artifact: most cloud misconfigurations now originate not from manual console edits but from Terraform, OpenTofu, Pulumi, AWS CloudFormation, Bicep, Helm, or raw Kubernetes manifests committed to a repo and applied by CI. Programs combine static analysis tools (Checkov, KICS, tfsec, Terrascan, Snyk IaC, Trivy config-scan), policy-as-code engines that enforce rules at plan-time (OPA/Rego, Conftest, HashiCorp Sentinel, Checkmarx Cloudguard, Wiz Code), drift-detection comparing live state to source-of-truth, and secret scanners that block hard-coded credentials in `.tf` and `values.yaml`. Increasingly, IaC security extends 'left' into developer workflows (IDE plugins, pre-commit hooks) and 'right' into runtime correlation (proving the deployed S3 bucket matches the reviewed module). Common findings include public S3 buckets, over-broad IAM `*`, missing encryption-at-rest, security groups open to 0.0.0.0/0, and Kubernetes pods running as root.

Las defensas contra Infrastructure-as-Code (IaC) Security combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.

Nombres alternativos comunes: IaC scanning, Policy-as-Code for IaC, Terraform security.