Infrastructure as Code (IaC): The Complete Guide

Everything you need to know about Infrastructure as Code (IaC) - why you need it, approaches, top 5 tools, best practices, and how to secure your IaC deployments.

Rani Osnat
December 28, 2021

What Is IaC Security? 

Infrastructure as code, also known as IaC, is an IT strategy that manages and codifies IT infrastructure as software. IaC enables operations teams and developers to automatically provision, monitor, and manage resources, instead of manually installing and configuring software.

IaC security is the practice of securing infrastructure that is managed using infrastructure as code (IaC). This can include measures to secure the IaC codebase itself, as well as the infrastructure resources that are managed using IaC.

Securing the IaC codebase may involve practices such as scanning templates for security issues, using version control to track changes to the code, using testing frameworks to validate changes before they are deployed, and implementing access controls to limit who can make changes to the code.

In this article:

Infrastructure as Code Benefits

Benefits of IaC include:

  • Faster development lifecycle—IaC lets you quickly establish your entire infrastructure by operating a script. You may do this for all environments, from development through to production, going through QA, staging, and the like. IaC could help streamline the whole software development lifecycle. 
  • Accuracy and consistency—manual processes often lead to mistakes due to human error and poor communication. Manual infrastructure management will, in most cases, lead to discrepancies. IaC deals with this issue by ensuring the configuration files are the single source of truth. This makes sure that the same configurations will be carried out without inconsistencies.      
  • Visibility and accountability—IaC configuration files can be versioned like any source code file, so you can achieve full visibility into the modifications that each configuration has undergone.   
  • Version control—when infrastructure is expressed as code, it may be checked into, source controlled, code-reviewed and versioned using current software engineering operations. Modifications to infrastructure can be carried out using available CI/CD tools.  
  • Support for DevOps—with the setup of the infrastructure written as code, you can apply the same CI/CD pipeline steps that IT professionals use for application code, such as version control and automated testing. An organization could decide to use IaC alongside containers that remove the application from the infrastructure at the level of the operating system. Because the hardware and operating system infrastructure are provisioned automatically, and the application is enclosed on top of it, such technologies are relevant for various deployment goals, including staging, testing and production.    

Why Is IaC Security Important? 

IaC allows you to define infrastructure in configuration files that can be managed and versioned alongside application code. However, there are several security risks when using infrastructure as code, such as the possibility of introducing vulnerabilities into the infrastructure through IaC code that is not properly reviewed or tested. 

For example, if the IaC code includes weak passwords, misconfigured security controls, or other vulnerabilities, it can leave the infrastructure open to attack. Insecure IaC can result in all server instances deployed containing security issues.

Another benefit of using IaC is that it can enable the use of virtualized infrastructure, which can be more flexible, scalable, and cost-effective than traditional, physical infrastructure. However, malicious actors can compromise the virtualization platform or access sensitive data stored in the virtual environment. IaC security is important because it helps to ensure that the virtualized infrastructure is secure, compliant, and well-managed.

How IaC Security Works 

There are several ways in which IaC security can be implemented:

  • Secure coding practices: Ensuring that the IaC code is developed and maintained in a secure manner, including by following secure coding practices, using testing frameworks to validate changes, and using version control to track changes to the code. This can help to ensure that the code does not contain vulnerabilities or other security issues, and that changes to the code are properly tested before they are deployed.
  • Access controls: Implementing access controls to limit who can make changes to the IaC codebase is important to prevent unauthorized changes from being made to the code. This can be achieved through the use of authentication and authorization controls, such as user accounts and permissions, which ensure that only authorized users can access the code.
  • IaC scanning: Automating the process of reviewing IaC code for security vulnerabilities and compliance issues can help to identify and address potential issues before they are deployed to production. This can be achieved through the use of IaC scanning tools, which can automatically review the code for issues such as weak passwords, misconfigured security controls, and compliance violations.
  • Compliance: Ensuring that the infrastructure is compliant with relevant security standards and regulations is important to reduce the risk of security breaches and compliance violations. This can be achieved through the use of IaC to automate the deployment of compliance controls, such as firewalls and access controls, and through regular reviews of the infrastructure to ensure it remains compliant.
  • Security policies: Implementing security policies using IaC helps to ensure that the infrastructure is configured in a secure manner and that changes to the infrastructure are reviewed and approved before they are deployed. This can be achieved through the use of IaC to define security policies and to enforce those policies when changes are made to the infrastructure. Policy violations can alert security and DevOps teams to security issues.

Top 5 IaC Tools and Security Best Practices

While there are a lot of open-source IaC tools on the market, the most readily-adopted tools are Terraform and Ansible. 

ansible logo

IaC on Ansible

Ansible is an open-source community undertaking backed by Red Hat. It was created to assist organizations with their configuration management, automated provisioning, and application deployment. Ansible is a declarative automation tool. 

You can use this tool to develop playbooks (in the YAML configuration language) to define the desired conditions for your infrastructure. It then carries out the provisioning for you. Ansible is a common choice for automating the provisioning of Kubernetes deployments and Docker containers. 

Ansible security best practices: 

  • Use secure passwords and ensure that all passwords used in Ansible playbooks are strong and unique.
  • Use encrypted communication protocols, such as HTTPS or SSH, to secure the connection between Ansible and the managed hosts.
  • Use version control to track changes to Ansible playbooks and to allow for the rollback of changes if necessary.
  • Use role-based access control to limit who can access playbooks and to restrict the actions that can be performed.
  • Use testing frameworks, such as Molecule, to test Ansible playbooks before they are deployed to production.
  • Use secure coding practices when developing playbooks, including input validation and sanitization, and avoid the use of hardcoded passwords or other sensitive information.
terraform logo

IaC on Terraform

Terraform works together with leading cloud providers. You can use this tool to automate the build-out of resources over various providers at the same time, irrespective of where DNS servers, databases, or physical servers reside. It can also provision applications executed in any language.  

Terraform doesn’t have any configuration management features, though it works together with configuration management tools (such as CloudFormation). When used alongside configuration management tools, Terraform can automatically provision infrastructure according to the state specified by configuration files and can automatically modify update provisioning when needed, in keeping with configuration modifications.   

Terraform security best practices: 

  • Use a version control system, such as Git, to manage and track changes to the Terraform configuration files. This makes it easier to understand and audit changes to the infrastructure, and to roll back changes if necessary.
  • Use testing frameworks, such as Terratest, to validate changes to the infrastructure before they are deployed. This can help to ensure that the changes are correct and do not introduce vulnerabilities or other security issues.
  • Use IaC scanning tools, such as Terrascan, to review the Terraform configuration files for security vulnerabilities and compliance issues. This can help to identify and address potential issues before they are deployed to production.
  • Use secure variables, such as those stored in a secrets management system, to store sensitive information, such as passwords and API keys, used in the Terraform configuration files. This can help to protect sensitive information and prevent it from being exposed.
cloud formation logo

IaC on AWS: CloudFormation

CloudFormation is a tool, from Amazon, that lets teams specify templates representing software stacks and move them to cloud environments automatically. Templates use a straightforward format that can be read by humans—these are basic text files that can be used to manage versions. With CloudFormation, you can automatically spin up everything, including a single EC2 machine or a complex application, via multiple AWS tools.

CloudFormation security best practices:

  • Use IAM policies to grant users the minimum permissions they need to access CloudFormation and to perform the actions they need to perform.
  • Use resource-level permissions to control access to specific resources within the CloudFormation stack, rather than granting broad permissions to the entire stack.
  • Use parameter validation to ensure that users enter valid and appropriate values when creating or updating a stack.
  • Use resource-specific templates to define only the resources that are needed for a specific application or workload, rather than using a single, monolithic template for all resources.
  • Use resource tagging to identify and organize resources within the CloudFormation stack, and to enforce resource-level permissions.
  • Use CloudTrail and CloudWatch to track changes to the CloudFormation stack and monitor for security and compliance issues.

Identify Security Risks in AWS CloudFormation Templates with Trivy ›

arm logo

IaC on Azure: ARM

Azure Resource Manager (ARM) is Azure’s main mechanism for automating cloud resources. Azure offers a straightforward declarative template syntax that offers access to this automation engine, making sure systems are launched in the same manner as if they were launched using the CLI or Azure Console.  

ARM security best practices: 

  • Use Azure Resource Manager templates to define your infrastructure in a declarative manner, which makes it easier to automate the deployment and management of resources and ensure that the resources are consistently configured.
  • Use Azure role-based access controls (RBAC) to control who has access to your resources and what actions they can perform on them. 
  • Use Azure managed identities to authenticate with resources without the need to store credentials in your code or configuration. This helps to reduce the risk of credentials being compromised and makes it easier to manage access to resources.
  • Use Azure Security Center to monitor your resources with a centralized view of the security posture of each resource in Azure. 
  • Use Azure Monitor to monitor the performance and availability of your resources in Azure, and help ensure that your resources are running optimally.
  • Use Azure Policy to define and enforce compliance policies for Azure resources. 
pulumi logo

Pulumi 

Pulumi is a tool that is used to provision existing infrastructure. It supports a number of programming languages and is built on Terraform. Pulumi supports secret management, a feature that Terraform is lacking. Pulumi also lets you define the authorization policy in the code.

Nevertheless, Pulumi has certain disadvantages. To use Pulumi, you must be proficient in functional programming languages. Generally, only software developers possess such skills. Infrastructure engineers, on the other hand, have skills in the area of security, networking concepts and operating systems.

Certain infrastructure engineers do have programming expertise, though this is often a more difficult requirement to obtain. 

Pulumi security best practices:

  • Use a secrets management tool, such as Pulumi’s built-in secrets management support or a third-party tool like HashiCorp Vault, to securely store and manage sensitive information, such as passwords and API keys.
  • Use testing and validation techniques, such as automated testing and code reviews, to ensure that Pulumi code and infrastructure are free of vulnerabilities and errors.
  • Use encryption to protect sensitive data, such as passwords and secrets, as it is stored and transmitted.

IaC Security Scanning

IaC scanning tools can parse common cloud-native template formats. They can then apply rules based on security best practices, providing users with an understanding of where additional hardening may be required to enhance the security of their environments. 

These tools can isolate issues such as a Kubernetes manifest that requests privileged access to the file system of a node, a Docker image created to run as the root user, or a Terraform script that configures an S3 bucket, which is accessible worldwide.

You can use IaC scanning tools at various stages in the development process, by IT professionals as a component of a CI/CD pipeline in a test suite, or as an element of the initial authoring. 

Related content: Read our guide to application security

IaC Security Scanning Rules

The most important part of an IaC scanning tool is the ruleset behind it. Rulesets define what is acceptable and what is considered suspicious or malicious. There is a major advantage to using standardized rulesets. This makes it possible for IaC scanners to share the same policies and rules with other tools in your security stack.

For example, AppShield is an open-source project supported by Aqua, which provides a policy database with rules written in Rego, a commonly used query language. These rules can be used by IaC scanners, but also by other vulnerability scanners and admission controllers, letting you apply the same rules across the application lifecycle. 

Using a standardized ruleset lets you use a set of rules for security configuration, and then reuse those rules when scanning for misconfigurations. This reduces the chance of security checks failing and the complexity of troubleshooting and remediation.

Two Open-Source IaC Scanners to Get You Started

The following are two open-source scanners you can start using today to improve security for Infrastructure as Code. One of them, Trivy, was developed and open-sourced by Aqua, while the other, TFSec, was recently acquired by Aqua.

Aqua Trivy

Trivy

Trivy is a comprehensive and easy-to-use open-source vulnerability scanner for container images. The project has gained a broad following among open-source community members who have tagged it with more than 3,300 GitHub stars. Unlike other open-source scanners, Trivy covers both OS packages and language-specific dependencies and is extremely easy to integrate into organizations’ software development pipelines.

Trivy is available under the Apache 2 license, allowing royalty-free use, modification, and distribution of the software. Trivy will be included as the default scanner in Harbor, a popular open-source container image registry project under the Cloud Native Computing Foundation, and in addition, the widely used container platform Mirantis Docker Enterprise will make Trivy available as an integrated scanning option for their deployments.

Visit the Trivy Github repo ›

aqua tfsec

TFsec

TFSec addresses the need to scan for security misconfigurations in Terraform templates. TFSec was designed to scan the new Hashicorp Configuration Language version 2, which is not covered by existing scanning tools. 

A unique aspect of TFsec is that it examines Terraform code and simulates how resources will be deployed in the cloud, using the Hashicorp HCL engine. This allows it to discover vulnerabilities that other tools miss, because they only scan the code, without looking at the actual final deployment.

The TFSec project has grown to include over 150 checks, supporting AWS, Azure, Google Cloud Platform, Digital Ocean, OpenStack, and Cloud Stack. It is growing in popularity with hundreds of thousands of downloads and a large team of contributors. 

Visit the TFsec Github repo ›

Rani Osnat
Rani is the SVP of Strategy at Aqua. Rani has worked in enterprise software companies more than 25 years, spanning project management, product management and marketing, including a decade as VP of marketing for innovative startups in the cyber-security and cloud arenas. Previously Rani was also a management consultant in the London office of Booz & Co. He holds an MBA from INSEAD in Fontainebleau, France. Rani is an avid wine geek, and a slightly less avid painter and electronic music composer.