Infrastructure-as-Code (IaC) Security.

The discipline of scanning, policy-checking, and securing IaC templates (Terraform, OpenTofu, Pulumi, CloudFormation, Helm, Kubernetes manifests) before they provision misconfigured cloud resources. Cette notion relève de la catégorie Sécurité du cloud en cybersécurité.

The discipline of scanning, policy-checking, and securing IaC templates (Terraform, OpenTofu, Pulumi, CloudFormation, Helm, Kubernetes manifests) before they provision misconfigured cloud resources.

Infrastructure-as-Code (IaC) security treats declarative provisioning templates as a primary security artifact: most cloud misconfigurations now originate not from manual console edits but from Terraform, OpenTofu, Pulumi, AWS CloudFormation, Bicep, Helm, or raw Kubernetes manifests committed to a repo and applied by CI. Programs combine static analysis tools (Checkov, KICS, tfsec, Terrascan, Snyk IaC, Trivy config-scan), policy-as-code engines that enforce rules at plan-time (OPA/Rego, Conftest, HashiCorp Sentinel, Checkmarx Cloudguard, Wiz Code), drift-detection comparing live state to source-of-truth, and secret scanners that block hard-coded credentials in `.tf` and `values.yaml`. Increasingly, IaC security extends 'left' into developer workflows (IDE plugins, pre-commit hooks) and 'right' into runtime correlation (proving the deployed S3 bucket matches the reviewed module). Common findings include public S3 buckets, over-broad IAM `*`, missing encryption-at-rest, security groups open to 0.0.0.0/0, and Kubernetes pods running as root.

Les défenses contre Infrastructure-as-Code (IaC) Security combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.

Noms alternatifs courants : IaC scanning, Policy-as-Code for IaC, Terraform security.