Managing IaC Configurations

Managing IaC Security Configurations Used for Scanning

This section of the documentation outlines managing IaC Security configurations that will be used for scanning. Check out the IaC Overview for high-level details of the IaC feature. Configurations are a critical component for IaC Analyzer scans and allow users to determine what “checks” to scan for, with regard to resources and Insights. In most scenarios, configurations are added after you have set up your desired scanning setup (to have data coming in you want to analyze).

The Configurations section of the IaC Security interface is available under "Security → Infrastructure as Code → Configurations". Each Configuration is listed with: a link to its Insight Pack (Custom Packs or Compliance Packs), the number of Terraform Cloud/Enterprise (TFC/E) Run Tasks associated with the configuration, various dates regarding usage and creation, and actions.

16001600

Accessing Configurations

Create a Configuration

Before Getting Started

Here are a few things to keep in mind when creating your configuration:

  • There are currently no limitations on the number of configurations. However, only a single configuration can be used for scanning at one time.
  • Configurations are limited to a maximum of 300 Insights.
  • Configurations are only available to Domain Admins, Organization Admins, and Editor/Admin-entitled users. See the User Entitlements Matrix for more information.

Steps to Create Your Configuration

First, navigate "Security → Infrastructure as Code → Configurations" then click the “+ New Configuration” button in the top right corner. The “Create Configuration” form launches from the side of the page.

13821382

Create Configuration Form

1. Provide a Name and optional Description for the new configuration.

2. Under “Insight Settings”, select an Insight Pack to use for your IaC Security analysis.

  • InsightCloudSec provides support for both out-of-the-box Compliance Packs and for Custom Packs (based on user-specific configurations of Insights).
  • Selecting an Insight Pack (custom or otherwise) will expose a list of the Insights included in the specified pack, along with buttons to configure your desired Insight settings.

3. Select whether to fail, warn, or ignore the Insight upon verification during IaC Security analysis.

  • Insights can be configured all at once using the "Set All" button (“Warn", "Ignore", or the default “Fail”) or on an individual basis by selecting the desired behavior next to each Insight name.
  • The level of support is specified under each Insight name in grey text. If no grey text is present, the insight has full resource support.
    • Partial Support - Resources are not supported for certain CSPs; these will be specifically identified.
    • Unsupported - Resources specific to this Insight are not supported on any of the CSPs; these will be hidden by default. Click the "Show Unsupported Insights" button at the bottom of the "Insight Configuration" list to display them.
13821382

Configuring Insights

4. Optionally, click "Notifications" to configure notification upon scan.

13811381

Configuring Notifications

5. When you are satisfied with your settings click “Apply”. Your completed configuration will be available under the “Configurations” tab.

Editing Existing Configurations

There are two ways to edit an existing configuration

  • Click the "Edit Configuration" icon (pencil) next to a finished configuration scan on the "Scan List" tab
  • Click the "Edit Configuration" icon (pencil) next to a configuration on the "Configurations" tab

After clicking the "Edit Configuration" icon, the Manage Configuration window will appear, allowing you to edit the name, description, insight pack & settings, and notifications for the configuration. Click "Apply" once finished with your edits.

13831383

Edit Existing Configuration