Before getting started with IaC Security you will want to understand the steps typically required to take advantage of this feature. IaC Security employs the IaC Analyzer to scan your infrastructure templates using Insight Packs to detect security issues with resource definitions. The scan results provide details about policy violations to determine compliance before infrastructure is deployed.
To get started you’ll need to do four things:
1. Select your configuration
Configurations are a critical component that allow users to select the “checks” best suited to use for scanning, based on your environment's resources and the applicable Insights. Within your InsightCloudSec platform, from "Security --> Infrastructure as Code" select the Configurations tab:
- Select an Insight Pack for scanning
- Define the settings for each Insight within the Pack
- Choose your notification options (email/Slack)
Details about this step are available under our documentation on Managing Configurations.
2. Choose a method for initiating IaC file scans
Initiating an IaC file scan can be done in one of three ways:
- Configure your CI/CD tooling to trigger a scan based on desired events (e.g. Push, Pull, Build, Stage, Deploy, etc.) using the ICS CLI tool
- Manually run a scan via the ICS CLI tool
- Manually run an On-Demand scan through the InsightCloudSec UI
3. Initiate a Scan
With an IaC Configuration and scanning method defined you are ready to initiate IaC scans. Scan results are communicated regardless of the scanning method. Users receive an overall pass/fail and results are compiled into a detailed report.
- Note that scans initiated manually through the CLI are also published in the InsightCloudSec UI.
4. View Your Report
After a scan has completed, view your scan results.
Learn more about this report in our docs on the Viewing Scan Results.
In general before using IaC Security you will need:
- A running InsightCloudSec Platform
- A working implementation and understanding of the desired supported IaC templating software
- Optional: IaC scan authentication enabled
Note: While any type of user can access IaC Security, only Domain Admins, Organization Admins, and Editor/Admin-entitled users can create/edit IaC Configurations. See the User Entitlements Matrix for more information.
To leverage the full capability of the InsightCloudSec IaC functionality and compliance automation at scale, you'll need the following additional items:
- An API Key for a user with the Infrastructure as Code Viewer entitlement
- An existing version-controlled repository of the templates
- An existing integration between the version-controlled repository & a CI/CD tool, e.g., Jenkins, Travis, etc.
- The capacity for your CI/CD pipeline to create an IaC template and send API requests to InsightCloudSec
Additional configuration options for IaC are also available within InsightCloudSec's general system administration settings. Through the main console navigate to "Administration --> System Administration" and click on the "System" tab. Scroll further down the page and locate the "Infrastructure-as-Code (IaC)" component, which allows IaC users to specify settings for authentication and defaults for new Insights added to a Custom Pack.
To get started with IaC Security, all you need is to ensure you've met the IaC prerequisites defined here. You can view a summary about the capabilities on our IaC Overview page. For a visual of the product and workflow check out the Workflow page.
The IaC Security interface is available through the InsightCloudSec platform under "Security → Infrastructure as Code".
Note: For new users the display defaults to a blank “Scan List” landing page with a prompt to “Create Configuration”.
There are three distinct sections of the IaC Security interface:
- Scan List - Lists all IaC completed configuration scans as well as their status, scan date, and duration. Review Viewing Scan Results for details on filtering, interacting, and interpreting scan results. The Viewing Scan Results page also includes information on Dynamic Analysis capabilities.
- Configurations - Lists all IaC configurations as well as some scan statistics about each configuration. Review Managing Configurations for details on reviewing, creating, and editing IaC configurations.
- On-Demand Scan - Allows users to use the IaC Analyzer to scan IaC templates on-demand and check for any issues in an existing IaC configuration. While this use case is less common, it can be helpful if you're interested in learning more about how the analyzer works. Review Using the IaC Analyzer (via the UI) for detailed steps about initiating and viewing IaC Security scans from within the UI.
Updated 4 days ago