Profile Applicability:
Level 2
Description:
Infrastructure as Code (IaC) templates and scripts, such as Terraform, CloudFormation, or Ansible configurations, must be scanned for security misconfigurations, vulnerabilities, and compliance violations before deployment. Manual or automated security tools should be used to detect issues like exposed credentials, overly permissive permissions, insecure defaults, or compliance gaps within the IaC code.
Rationale:
Scanning IaC helps prevent security flaws and misconfigurations from being deployed into infrastructure, which could lead to data breaches, unauthorized access, or service disruptions. Early detection of risks in IaC enhances overall security posture, reduces remediation costs, and ensures compliance with organizational and regulatory standards.
Impact:
Pros:
Detects vulnerabilities before infrastructure is provisioned.
Reduces risk of misconfigurations leading to security incidents.
Supports compliance and governance requirements.
Improves infrastructure reliability and security posture.
Cons:
May require investment in scanning tools and training.
Can introduce delays if scans are manual or produce false positives.
Default value:
IaC is often deployed without thorough security scanning, increasing risk exposure.
Audit:
Review IaC repositories and deployment pipelines to verify security scans are performed. Check for use of IaC scanning tools and documented remediation of identified issues.
Remediation:
Integrate IaC security scanning tools into development and deployment workflows. Train teams on interpreting scan results and remediating issues. Enforce scanning as a mandatory step before deployment.
References:
Terraform Security Best Practices: https://learn.hashicorp.com/tutorials/terraform/security-best-practices
AWS CloudFormation Security: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security.html
CIS Controls v8, Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/
Open Source IaC Security Tools: Checkov (https://www.checkov.io/), tfsec (https://tfsec.dev/)