IaC Security Overview (FAQ)

An Overview (FAQ) of the InsightCloudSec Infrastructure as Code (IaC) Capability

What is Infrastructure as Code (IaC)?

IaC tools allow you to define infrastructure in the cloud by writing code. Rather than deploying or making changes to your infrastructure manually, users can take advantage of the features typically employed in a code development environment. This approach is a significant part of a successful “shift-left” strategy. “Shifting left” is simply the practice of attempting to find and prevent defects earlier in a delivery process, typically in the creation of software. Adopting best practices around things like templates, testing, monitoring, review, and version control allow you to apply these practices to the “code” that defines your infrastructure.

To learn more about the value of IaC in a security context, check our whitepaper Shifting Cloud Security Left with Infrastructure as Code.

How can InsightCloudSec Integrate with IaC?

Treating infrastructure like code enables organizations to plan, review, and examine infrastructure (resources) for misconfigurations prior to creating these resources. By taking advantage of IaC's ability to describe resources without creating them, the IaC Security feature of InsightCloudSec enables organizations to implement security controls earlier in their continuous integration/continuous delivery (CI/CD) pipeline (shifting left). It also provides an opportunity to address compliance and security concerns before deployment or modifications are made to your cloud infrastructure. IaC Security is able to leverage an extensive Insights libraryso users can get started quickly and see immediate value using InsightCloudSec built-in Insight packs or customer-created Insight packs.

How Does InsightCloudSec IaC Security Work?

IaC Security employs the IaC Analyzer to analyze, or scan, your preconfigured infrastructure templates against Insight packs to gain specific feedback about violations and determine compliance before infrastructure is deployed. Each scan can be performed ad-hoc or in an automated fashion via a CI/CD pipeline integration and will generate a detailed report of the results.

What is Supported?

IaC Security scanning supports a variety of resource types for the following IaC platforms and artifact types (also known as drivers in InsightCloudSec):

  • Terraform plans for AWS, Azure and GCP providers
  • AWS CloudFormation templates (CFT)
  • Helm charts, Kustomize overlays, and YAML manifest files for Kubernetes infrastructure

Terraform

InsightCloudSec will scan Terraform plans written using Terraform versions 0.12 and up. Review Terraform Supported Resources for a full list of supported resources for the AWS, Azure, and GCP providers.

Additional GCP Details

  • Scanning Terraform plans containing supported Google resources that were generated with a Google provider version prior to v4.x.x may produce unexpected results. We recommend using the latest 4.x version of the Google provider.

Additional Azure Details

  • Scanning Terraform plans containing supported Azure resources that were generated with a AzureRM provider version prior to v3.x.x may produce unexpected results. We recommend using the latest 3.x version of the AzureRM provider.

AWS CloudFormation

InsightCloudSec will scan AWS CloudFormation templates (CFTs). Review AWS CloudFormation Supported Resources for a full list of supported AWS resources.

Kubernetes IaC

InsightCloudSec will scan various artifacts defining Kubernetes infrastructure including Helm charts, Kustomize overlays and YAML manifest files. Please review Kubernetes - IaC Supported Resources for a full list of supported resources.

CLI IaC Scanning

InsightCloudSec offers a Command Line Interface (CLI) tool that enables customers to initiate IaC scans by individual Developers or by DevOps teams via CI/CD tool integrations using an API key. Check out the full IaC CLI Scanning Tool documentation for details.

Explore More About IaC


Did this page help you?