Infrastructure-as-Code (IaC) Security
Infrastructure-as-Code (IaC) Security 是什么?
Infrastructure-as-Code (IaC) SecurityThe discipline of scanning, policy-checking, and securing IaC templates (Terraform, OpenTofu, Pulumi, CloudFormation, Helm, Kubernetes manifests) before they provision misconfigured cloud resources.
Infrastructure-as-Code (IaC) security treats declarative provisioning templates as a primary security artifact: most cloud misconfigurations now originate not from manual console edits but from Terraform, OpenTofu, Pulumi, AWS CloudFormation, Bicep, Helm, or raw Kubernetes manifests committed to a repo and applied by CI. Programs combine static analysis tools (Checkov, KICS, tfsec, Terrascan, Snyk IaC, Trivy config-scan), policy-as-code engines that enforce rules at plan-time (OPA/Rego, Conftest, HashiCorp Sentinel, Checkmarx Cloudguard, Wiz Code), drift-detection comparing live state to source-of-truth, and secret scanners that block hard-coded credentials in `.tf` and `values.yaml`. Increasingly, IaC security extends 'left' into developer workflows (IDE plugins, pre-commit hooks) and 'right' into runtime correlation (proving the deployed S3 bucket matches the reviewed module). Common findings include public S3 buckets, over-broad IAM `*`, missing encryption-at-rest, security groups open to 0.0.0.0/0, and Kubernetes pods running as root.
● 示例
- 01
A pull-request CI step runs Checkov against the Terraform plan and blocks a merge that would create an S3 bucket without server-side encryption.
- 02
An OPA policy denies any Kubernetes manifest that mounts the Docker socket or runs with `privileged: true`.
● 常见问题
Infrastructure-as-Code (IaC) Security 是什么?
The discipline of scanning, policy-checking, and securing IaC templates (Terraform, OpenTofu, Pulumi, CloudFormation, Helm, Kubernetes manifests) before they provision misconfigured cloud resources. 它属于网络安全的 云安全 分类。
Infrastructure-as-Code (IaC) Security 是什么意思?
The discipline of scanning, policy-checking, and securing IaC templates (Terraform, OpenTofu, Pulumi, CloudFormation, Helm, Kubernetes manifests) before they provision misconfigured cloud resources.
Infrastructure-as-Code (IaC) Security 是如何工作的?
Infrastructure-as-Code (IaC) security treats declarative provisioning templates as a primary security artifact: most cloud misconfigurations now originate not from manual console edits but from Terraform, OpenTofu, Pulumi, AWS CloudFormation, Bicep, Helm, or raw Kubernetes manifests committed to a repo and applied by CI. Programs combine static analysis tools (Checkov, KICS, tfsec, Terrascan, Snyk IaC, Trivy config-scan), policy-as-code engines that enforce rules at plan-time (OPA/Rego, Conftest, HashiCorp Sentinel, Checkmarx Cloudguard, Wiz Code), drift-detection comparing live state to source-of-truth, and secret scanners that block hard-coded credentials in `.tf` and `values.yaml`. Increasingly, IaC security extends 'left' into developer workflows (IDE plugins, pre-commit hooks) and 'right' into runtime correlation (proving the deployed S3 bucket matches the reviewed module). Common findings include public S3 buckets, over-broad IAM `*`, missing encryption-at-rest, security groups open to 0.0.0.0/0, and Kubernetes pods running as root.
如何防御 Infrastructure-as-Code (IaC) Security?
针对 Infrastructure-as-Code (IaC) Security 的防御通常结合技术控制与运营实践,详见上方完整定义。
Infrastructure-as-Code (IaC) Security 还有哪些其他名称?
常见的别称包括: IaC scanning, Policy-as-Code for IaC, Terraform security。
● 相关术语
- cloud-security№ 209
云配置错误
由云服务的不当或不安全设置造成的安全漏洞,例如对象存储暴露、IAM 策略薄弱或管理端口对外开放等。
- cloud-security№ 280
CSPM(云安全姿态管理)
一类持续将云账户与最佳实践和合规基线进行比对,以发现并修复配置错误的工具。
- cloud-security№ 939
策略即代码
将安全、合规与治理规则用机器可读的代码进行定义,从而可版本化、可测试、可评审并自动执行的实践。
- cloud-security№ 848
OPA(开放策略代理)
CNCF 毕业的通用策略引擎,使用 Rego 语言将授权决策与应用以及 Kubernetes 准入控制解耦。
- cloud-security№ 1103
安全即代码
将安全控制、测试和基础设施以源代码形式表达,实现版本化、同行评审、自动化,并与应用一起持续交付的实践。
- appsec№ 1145
安全左移(Shift-Left Security)
把安全活动前移至软件生命周期的早期阶段,使漏洞在进入生产前就被发现并修复的实践。