IaC tools allow you to define infrastructure in the cloud by writing code. Rather than deploying or making changes to your infrastructure manually, users can take advantage of the features typically employed in a code development environment. This approach is a significant part of a successful “shift-left” strategy. “Shifting left” is simply the practice of attempting to find and prevent defects earlier in a delivery process, typically in the creation of software. Adopting best practices around things like templates, testing, monitoring, review, and version control allow you to apply these practices to the “code” that defines your infrastructure.
To learn more about the value of IaC in a security context, check our whitepaper Shifting Cloud Security Left with Infrastructure as Code.
Treating infrastructure like code enables organizations to plan, review, and examine infrastructure (resources) for misconfigurations prior to creating these resources. By taking advantage of IaC's ability to describe resources without creating them, the IaC Security feature of InsightCloudSec enables organizations to implement security controls earlier in their continuous integration/continuous delivery (CI/CD) pipeline (shifting left). It also provides an opportunity to address compliance and security concerns before deployment or modifications are made to your cloud infrastructure. IaC Security is able to leverage an extensive Insights library so users can get started quickly and see immediate value using InsightCloudSec built-in Insight packs or customer-created Insight packs.
IaC Security employs the IaC Analyzer to analyze, or scan, your preconfigured infrastructure templates against Insight packs to gain specific feedback about violations and determine compliance before infrastructure is deployed. Each scan can be performed locally using the CLI IaC Scanning Tool or in an automated fashion via a CI/CD pipeline integration and will generate a detailed report of the results.
IaC Security scanning supports a variety of resource types for the following IaC platforms and artifact types (also known as drivers in InsightCloudSec):
- Terraform plans for AWS, Azure and GCP providers
- AWS CloudFormation templates (CFT)
- Helm charts, Kustomize overlays, and YAML manifest files for Kubernetes infrastructure
InsightCloudSec will scan Terraform plans written using Terraform versions 0.12 and up. Review Terraform Supported Resources for a full list of supported resources for the AWS, Azure, and GCP providers.
Terraform Cloud and Enterprise Support
As of version 22.9.28, InsightCloudSec supports Terraform Cloud/Enterprise via run tasks. See Terraform Cloud/Enterprise (TFC/E) Run Task Integration for more information.
Additional GCP Details
- Scanning Terraform plans containing supported Google resources that were generated with a Google provider version prior to v4.x.x may produce unexpected results. We recommend using the latest 4.x version of the Google provider.
Additional Azure Details
- Scanning Terraform plans containing supported Azure resources that were generated with a AzureRM provider version prior to v3.x.x may produce unexpected results. We recommend using the latest 3.x version of the AzureRM provider.
InsightCloudSec will scan AWS CloudFormation templates (CFTs). Review AWS CloudFormation Supported Resources for a full list of supported AWS resources.
InsightCloudSec will scan various artifacts defining Kubernetes infrastructure including Helm charts, Kustomize overlays and YAML manifest files. Please review Kubernetes - IaC Supported Resources for a full list of supported resources. For instructions on submitting a scan, please see the CLI Tool Commands and Parameters - Kubernetes IaC page.
InsightCloudSec offers a Command Line Interface (CLI) tool that enables customers to initiate IaC scans by individual Developers or by DevOps teams via CI/CD tool integrations using an API key. Check out the full IaC CLI Scanning Tool documentation for details.
Check out details on Getting Started with IaC Security to review requirements and learn more about what you need to do to start using the IaC feature.
Updated about 1 year ago