In the wake of the industry’s transition to DevOps and cloud engineering, infrastructure as code is gaining traction as more organizations begin to define objects, assets, services and other cloud configuration items in IaC templates.
All the major cloud service providers (CSPs) offer IaC services and template formats, including AWS CloudFormation, Azure Resource Manager and Google Cloud Deployment Manager. Cloud-neutral products and services are also available from suppliers such HashiCorp and Pulumi.
For all their benefits, however, IaC templates can be exploited by malicious hackers and other threat actors. As security teams incorporate security controls into the DevOps pipeline, IaC security scanning is becoming more commonplace. Scanning enables teams to detect and remediate potential security issues or policy violations before templates are instantiated into runtime environments.
IaC security scanning features
To be successful, IaC scans should address a number of common use cases, including the following:
- Uncovering known platform vulnerabilities. A wide range of vulnerabilities have been uncovered in IaC platforms, open source libraries and packages used in container and Kubernetes deployments. Many IaC scanners can assess all three, looking for potential issues exploited in containers, VM images and IaC services. Increasingly, IaC scanning can be integrated with other vulnerability scanning tools and reporting mechanisms.
- Detecting configuration errors. Configuration errors in cloud assets and services are a common problem. IaC security scanning can identify scenarios where cloud deployments introduce vulnerabilities in the cloud fabric, such as overly permissive identity policies, accidental exposure of assets and services to the internet, and poor network isolation. Leading IaC scanners can also help align configuration settings with industry standards such as Center for Internet Security benchmarks, CSP recommendations and specifications from NIST and others, as well as internal requirements set by security teams.
- Centralizing security policy management for cloud deployments. All leading scanning tools cover the major CSPs, which helps centralize security policy and enforcement across diverse environments found in large multi-cloud deployments.
- Identifying exposed secrets and sensitive data. Many IaC templates include references to access keys, cryptographic keys and information, and credentials involved in cloud service deployments. In keeping with policy definitions, IaC scanning should identify where credentials and secrets are potentially exposed, enabling DevOps and security teams to better protect them.
- Reporting. Consistent IaC security scanning expands and enhances an organization’s vulnerability management reporting capabilities — especially when it enables continuous, automated analysis of deployments across different CSP environments. Many organizations integrate IaC scan results and alerting into change management and cloud governance workflows.
IaC security scanning tools to consider
Security teams can take advantage of a wide variety of IaC security scanning tools and vendors. Some are open source and free; others are commercially available with a diverse set of integration and reporting options. Some options include the following:
- Palo Alto Networks Prisma Cloud and Checkov as a standalone scanner.
- Snyk IaC.
- PingSafe.
- Sysdig.
- Tfsec.
- TFLint.
- Terrafirma.
- Tenable Cloud Security, formerly Tenable.cs.
- Aqua Security.
- Terrascan.
- Checkmarx.
To find the best tool for your team’s needs, examine IaC security scanning options by considering cost, coverage across CSP environments and services, integration with other security and observability tools, automation through APIs and reporting capabilities. Ideally, you should integrate IaC scanning tools into the DevOps pipeline and ensure they keep pace as CSP environments change.
This was last published in July 2023
Dig Deeper on Cloud security