Infrastructure as Code tools allow you to define infrastructure in the cloud by writing code. Rather than deploying or making changes to your infrastructure manually, users can take advantage of the features typically employed in a code development environment. This approach is a significant part of a successful “shift-left” strategy. “Shifting left” is simply the practice of attempting to find and prevent defects earlier in a delivery process, typically in the creation of software. Adopting best practices around things like templates, testing, monitoring, review, and version control allow you to apply these practices to the “code” that defines your infrastructure.
To learn more about the value of IaC in a security context, check our whitepaper Shifting Cloud Security Left with Infrastructure as Code.
Treating infrastructure like code enables organizations to plan, review, and examine infrastructure (resources) for misconfigurations prior to creating these resources. By taking advantage of IaC's ability to describe resources without creating them, DivvyCloud's IaC Security feature enables organizations to implement security controls earlier in their continuous integration/continuous delivery (CI/CD) pipeline (shifting left). It also provides an opportunity to address compliance and security concerns before deployment or modifications are made to your cloud infrastructure. IaC Security is able to leverage the extensive Insights library so users can get started quickly and see immediate value using DivvyCloud's built-in Insight Packs or customer-created Insight packs.
IaC Security employs the IaC Analyzer to analyze, or scan, your preconfigured infrastructure templates against Insight packs to gain specific feedback about violations and determine compliance before infrastructure is deployed. Each scan can be performed ad-hoc or in an automated fashion via a CI/CD pipeline integration and will generate a detailed report of the results.
IaC Security supports a variety of resource types for the following IaC templating software (also known as drivers):
- AWS CloudFormation
DivvyCloud recognizes AWS CloudFormation templates. Review AWS CloudFormation Supported Resources for a full list of supported AWS resources.
DivvyCloud recognizes Terraform templates written using Terraform versions 0.11, 0.12, 0.13, and 0.14. Review Terraform Supported Resources for a full list of supported resources.
There are a few things you will need to have available and configured before using IaC Security:
- A running DivvyCloud Platform
- DivvyCloud Domain Admin permissions (only domain admins can create/edit IaC Configurations)
- A working implementation and understanding of the desired supported IaC templating software
- Optional: IaC scan authentication enabled
If you have questions related to these requirements, reach out to us through any of the options provided on our Getting Support page.
To leverage the full capability of DivvyCloud's IaC functionality and compliance automation at scale, you'll need the following items in addition to the above prerequisites:
- An API Key
- An existing version-controlled repository of the templates
- An existing integration between the version-controlled repository & a CI/CD tool, e.g., Jenkins, Travis, etc.
- The capacity for your CI/CD pipeline to create an IaC template and send API requests to DivvyCloud
To enable authentication for your IaC scans, in the DivvyCloud platform UI navigate to "Administration --> System Administration" and on the "System" tab under the "General Settings", look for the checkbox at the end of the section to enable/disable authentication requirements.
More details about this section of product are available under System Settings.
Updated 2 months ago