Infrastructure as Code tools allow you to define infrastructure in the cloud by writing code. Rather than deploying or making changes to your infrastructure manually, users can take advantage of the features typically employed in a code development environment. This approach is a significant part of a successful “shift-left” strategy. “Shifting left” is simply the practice of attempting to find and prevent defects earlier in a delivery process, typically in the creation of software. Adopting best practices around things like templates, testing, monitoring, review, and version control allow you to apply these practices to the “code” that defines your infrastructure.
To learn more about the value of IaC in a security context, check our whitepaper Shifting Cloud Security Left with Infrastructure as Code.
Treating infrastructure like code enables organizations to plan, review, and examine infrastructure (resources) for misconfigurations prior to creating these resources. By taking advantage of IaC's ability to describe resources without creating them, the IaC Security feature of InsightCloudSec enables organizations to implement security controls earlier in their continuous integration/continuous delivery (CI/CD) pipeline (shifting left). It also provides an opportunity to address compliance and security concerns before deployment or modifications are made to your cloud infrastructure. IaC Security is able to leverage the extensive Insights library so users can get started quickly and see immediate value using InsightCloudSec built-in Insight packs or customer-created Insight packs.
IaC Security employs the IaC Analyzer to analyze, or scan, your preconfigured infrastructure templates against Insight packs to gain specific feedback about violations and determine compliance before infrastructure is deployed. Each scan can be performed ad-hoc or in an automated fashion via a CI/CD pipeline integration and will generate a detailed report of the results.
IaC Security supports a variety of resource types for the following IaC templating software (also known as drivers):
- AWS CloudFormation
InsightCloudSec recognizes AWS CloudFormation templates. Review AWS CloudFormation Supported Resources for a full list of supported AWS resources.
InsightCloudSec recognizes Terraform templates written using Terraform versions 0.12 and up. Review Terraform Supported Resources for a full list of supported resources.
There are a few things you will need to have available and configured before using IaC Security:
- A running InsightCloudSec Platform
- A working implementation and understanding of the desired supported IaC templating software
- Optional: IaC scan authentication enabled
Note: While any type of user can access IaC Security, only Domain Admins, Organization Admins, and Editor/Admin-entitled users can create/edit IaC Configurations. See the User Entitlements Matrix for more information.
If you have questions related to these requirements, reach out to us through any of the options provided on our Getting Support page.
To leverage the full capability of the InsightCloudSec IaC functionality and compliance automation at scale, you'll need the following items in addition to the above prerequisites:
- An API Key
- An existing version-controlled repository of the templates
- An existing integration between the version-controlled repository & a CI/CD tool, e.g., Jenkins, Travis, etc.
- The capacity for your CI/CD pipeline to create an IaC template and send API requests to InsightCloudSec
Additional configuration options for IaC are also available within InsightCloudSec's general system administration settings. Through the main console navigate to "Administration --> System Administration" and click on the "System" tab. Scroll further down the page and locate the "Infrastructure-as-Code (IaC)" component, which allows IaC users to specify settings for authentication and defaults for new Insights added to a Custom Pack.
Updated 3 months ago