IaC Security - Frequently Asked Questions (FAQ)

What is Infrastructure as Code (IaC)?

IaC tools allow you to define infrastructure in the cloud by writing code. Rather than deploying or making changes to your infrastructure manually, users can take advantage of the features typically employed in a code development environment. This approach is a significant part of a successful shift-left strategy. Shifting left is simply the practice of attempting to find and prevent defects earlier in a delivery process, typically in the creation of software. Adopting best practices around things like templates, testing, monitoring, review, and version control allow you to apply these practices to the code that defines your infrastructure.

To learn more about the value of IaC in a security context, check our whitepaper Shifting Cloud Security Left with Infrastructure as Code.

How can InsightCloudSec Integrate with IaC?

Treating infrastructure like code enables organizations to plan, review, and examine infrastructure (resources) for misconfigurations prior to creating these resources. By taking advantage of IaC's ability to describe resources without creating them, the IaC Security feature of InsightCloudSec enables organizations to implement security controls earlier in their continuous integration/continuous delivery (CI/CD) pipeline (shifting left). It also provides an opportunity to address compliance and security concerns before deployment or modifications are made to your cloud infrastructure. IaC Security is able to leverage an extensive Insights library so users can get started quickly and see immediate value using InsightCloudSec built-in Insight packs or customer-created Insight packs.

How Does InsightCloudSec IaC Security Work?

IaC Security employs the IaC Analyzer to analyze, or scan, your preconfigured infrastructure templates against Insight packs to gain specific feedback about violations and determine compliance before infrastructure is deployed. Each scan can be performed locally using the CLI IaC Scanning Tool or in an automated fashion via a CI/CD pipeline integration and will generate a detailed report of the results.

What is Supported?

IaC Security scanning supports a variety of resource types for the following IaC platforms and artifact types (also known as drivers in InsightCloudSec):

  • Terraform plans for AWS, Azure and GCP providers
  • AWS CloudFormation templates (CFT)

Terraform

InsightCloudSec will scan Terraform plans written using Terraform versions 0.12 and up. Review Terraform Supported Resources for a full list of supported resources for the AWS, Azure, and GCP providers. If you're looking to use IaC with Terraform Cloud/Enterprise instead, see Integrate with Terraform Cloud/Enterprise (TFC/E) for more information.

Additional GCP Details

Scanning Terraform plans containing supported Google resources that were generated with a Google provider version prior to v4.x.x may produce unexpected results. We recommend using the latest 4.x version of the Google provider.

Additional Azure Details

Scanning Terraform plans containing supported Azure resources that were generated with a AzureRM provider version prior to v3.x.x may produce unexpected results. We recommend using the latest 3.x version of the AzureRM provider.

AWS CloudFormation

InsightCloudSec will scan AWS CloudFormation templates (CFTs). Review AWS CloudFormation Supported Resources for a full list of supported AWS resources.

CLI IaC Scanning

InsightCloudSec offers a Command Line Interface (CLI) tool that enables customers to initiate IaC scans by individual Developers or by DevOps teams via CI/CD tool integrations using an API key. Check out the full IaC CLI Scanning Tool documentation for details.

Explore More About IaC

Check out details on Getting Started with IaC Security to review requirements and learn more about what you need to do to start using the IaC feature.