Before getting started with IaC Security you will want to understand the steps typically required to take advantage of this feature. IaC Security employs the IaC Analyzer to scan your infrastructure templates using Insight Packs to detect security issues with resource definitions. The scan results provide details about policy violations to determine compliance before infrastructure is deployed.
To get started you’ll need to do four things:
1. Select your configuration
Configurations are a critical component that allow users to select the “checks” best suited to use for scanning, based on your environment's resources and the applicable Insights. Within your InsightCloudSec platform, from "Security --> Infrastructure as Code" select the Configurations tab:
- Select an Insight Pack for scanning
- Define the settings for each Insight within the Pack
- Choose your notification options (email/Slack)
Details about this step are available under our documentation on Managing Configurations.
2. Choose a method for initiating IaC file scans
Initiating an IaC file scan can be done in two ways:
- Configure your CI/CD tooling to trigger a scan based on desired events (e.g. Push, Pull, Build, Stage, Deploy, etc.) using the CLI IaC Scanning Tool
- Manually run a scan via the CLI IaC Scanning Tool
3. Initiate a Scan
With an IaC Configuration and scanning method defined you are ready to initiate IaC scans. Scan results are communicated regardless of the scanning method. Users receive an overall pass/fail and results are compiled into a detailed report.
- Note: Scans initiated manually through the CLI are also published in the InsightCloudSec UI.
4. View Your Report
After a scan has completed, view your scan results. Learn more about this report in our docs on the Viewing Scan Results.
In general before using IaC Security you will need:
- A running InsightCloudSec Platform
- A working implementation and understanding of the desired supported IaC templating software
Note: While any type of user can access IaC Security, only Domain Admins, Organization Admins, and Editor/Admin-entitled users can create/edit IaC Configurations. See the User Entitlements Matrix for more information.
To leverage the full capability of the InsightCloudSec IaC functionality and compliance automation at scale, you'll need the following additional items:
- An API Key for a user with the Infrastructure as Code Viewer entitlement
- An existing version-controlled repository of the templates
- An existing integration between the version-controlled repository and a CI/CD tool, e.g., Jenkins, CircleCI, etc.
- InsightCloudSec also supports Terraform Cloud/Enterprise (as of version 22.9.28). See Terraform Cloud/Enterprise (TFC/E) Run Task Integration for more information.
- The capacity for your CI/CD pipeline to create an IaC template and send API requests to InsightCloudSec
Additional configuration options for IaC are also available within InsightCloudSec's general system administration settings. Through the main console navigate to "Administration --> System Administration" and click on the "System" tab. Scroll further down the page and locate the "Infrastructure-as-Code (IaC)" component, which allows IaC users to specify settings for authentication and defaults for new Insights added to a Custom Pack.
To get started with IaC Security, all you need is to ensure you've met the IaC prerequisites defined here. You can view a summary about the capabilities on our IaC Overview page.
The IaC Security interface is available through the InsightCloudSec platform under "Security → Infrastructure as Code".
There are two distinct sections of the IaC Security interface:
- Scan List - Lists all IaC completed configuration scans as well as their status, scan date, and duration. Review Viewing Scan Results for details on filtering, interacting, and interpreting scan results.
- Configurations - Lists all IaC configurations as well as some scan statistics about each configuration. Review Managing Configurations for details on reviewing, creating, and editing IaC configurations.
Additional configuration options for IaC are also available within InsightCloudSec's general system administration settings. Through the main console navigate (via the gear on the top right) to "Administration --> System Administration" and click on the "System" tab. Scroll further down the page and locate the "Infrastructure-as-Code (IaC)" component; this section in the System Administration allows you to:
- specify settings for authentication
- add defaults for new Insights added to a Custom Pack
- specify the number of days the system retains scans (if no value is supplied scans are never deleted)
Updated 7 months ago