Get started with IaC in Cloud Security (InsightCloudSec)
Cloud Security (InsightCloudSec) employs the internal IaC Analyzer to scan your preconfigured infrastructure templates against Insight packs, which yields specific feedback about misconfigurations and determines compliance before infrastructure is deployed. Each scan can be performed locally using the CLI IaC Scanning Tool or in an automated fashion using a CI/CD pipeline integration. After a scan is complete, it generates a detailed report of the results.
To learn more about the value of IaC in a security context, read our blog .
Prerequisites
Any type of user can view the Infrastructure as Code page, but only Domain Admins, Organization Admins, and Editor/Admin-entitled users can create/edit IaC Configurations. See the User Entitlements Matrix for more information.
Rapid7 also recommends a working implementation and understanding of the desired supported IaC templating software (for example, Terraform or AWS CloudFormation).
Prerequisites for external tools
To leverage the full capability of the Cloud Security (InsightCloudSec) IaC functionality and compliance automation at scale with external CI/CD tools, you’ll need the following additional items:
- An API Key for a user with the Infrastructure as Code Viewer entitlement.
- An existing version-controlled repository of the templates.
- An existing integration between the version-controlled repository and a CI/CD tool. For example, Jenkins, CircleCI.
- Cloud Security (InsightCloudSec) also supports Terraform Cloud/Enterprise. See Terraform Cloud/Enterprise (TFC/E) Run Task Integration for more information.
- The capacity for your CI/CD pipeline to create an IaC template and send API requests to Cloud Security (InsightCloudSec).
Example IaC workflow
Before using the IaC capabilities in Cloud Security (InsightCloudSec), it’s important to understand a typical workflow:
- Ensure resource support for your selected template type:
- Terraform Supported Resources for Terraform plans for AWS, Azure and GCP providers (versions
0.12and up) - AWS CloudFormation Supported Resources for AWS CloudFormation Templates (CFTs)
- Terraform Supported Resources for Terraform plans for AWS, Azure and GCP providers (versions
Using Terraform Cloud/Enterprise?
If you use Terraform Cloud/Enterprise, this requires additional configuration. See Integrate with Terraform Cloud/Enterprise (TFC/E) for more information.
-
Select your configuration: Configurations determine how and what Insights should be used to check your infrastructure templates for misconfigurations. See Managing Configurations for details on reviewing, creating, and editing configurations. Configurations contain:
- An Insight or Compliance Pack for scanning
- Settings for each Insight within the pack
- Notification options (email or Slack)
-
Choose a method for initiating IaC file scans:
- Configure your CI/CD tooling to trigger a scan based on desired events (for example, Push, Pull, Build, Stage, or Deploy) using the CLI IaC Scanning Tool
- Manually run a scan using the CLI IaC Scanning Tool
-
Initiate a Scan: With an IaC Configuration and scanning method defined, you are ready to initiate the scan. After the scan is finished, you’ll receive an overall grade and results are compiled into a detailed report.
-
View Your Report: After a scan has completed, it is reported as Passed, Warned, or Failed. A detailed report for the scan is uploaded to the interface. Learn more about this report in Viewing Scan Results.
Exceptions
If you want to avoid your template failing a particular Insight check, you can create an Exception. Exceptions can be created directly from scan results or with the IaC CLI Scan Tool, but they are managed on the Exceptions page.
Additional configuration options
Additional system-wide configuration options for IaC are available in Settings > System Administration > Security, including:
- Authentication requirements for scans
- Default Insight status for configurations
- Scan report retention limit