Infrastructure as Code security

Infrastructure as Code in a DevSecOps World

This article will discuss infrastructure as code (IaC), what it is exactly, and the security implications of using IaC in the real world.

What Is Infrastructure as Code?

Infrastructure as code (IaC), a key concept in DevOps, is the process of provisioning and managing resources in public clouds using a set of human-editable text files that describe infrastructure resource configurations. These input scripts are ingested by Infrastructure as Code tools that then automatically create, update, or delete resources to ensure that the cloud infrastructure complies with the desired state. IaC tools are designed to manage the implicit and explicit dependencies between resources so that the creation, updating, and removal of resources are performed logically, taking into account these resource dependencies.

Before Infrastructure as Code (IaC) existed, resources were typically provisioned manually or, at best, through simple scripts like shell scripts or Python. Configuration management tools were very efficient when it came to configuring an instance once it was up and running, but didn’t really have the capabilities to create the instance in the first place.

IaC emerged to help bridge this gap by automating such provisioning and thus move away from snowflake servers. The introduction of declarative languages to define a desired state, along with the IaC tools that automatically implement those declarations, was a big leap forward within the industry.

Infrastructure as code (IaC) brought many benefits, among them:

  • Allowing your desired state to be written in scripts for perfect reproducibility.
  • Enabling these scripts to be saved in Git, thus allowing you to maintain a history of your infrastructure, as with application code.
  • Allowing the scripts to serve as documentation and a single source of truth.
  • Extending the possibility of continuous deployments to the provisioning and management of the resources themselves.

The three major public cloud providers all offer their own custom IaC solutions, which work only for their own respective platforms:

Terraform is the most widely used cloud-independent IaC software and offers the advantage of supporting many cloud vendors. In fact, smaller cloud providers, such as DigitalOcean and Rackspace, tend to rely on Terraform instead of an in-house IaC product.

The automated configuration management software vendors, including Puppet, Chef, and Ansible, have also been working to expand their capabilities and today, offer some level of support for creating, updating, and deleting resources in public clouds. However, they were not designed as IaC from the ground up.

What Is IaC Security?

Infrastructure as Code security is the discipline of ensuring that security best practices are built into the IaC declarative scripts. These best practices include the principle of least privilege, network segmentation so that the resources and their related dependencies are all secured within a private subnet, and the encryption of data in-transit and at-rest. The consequences of IaC scripts that do not uphold security principles can be severe, including unsecured storage buckets that expose sensitive data or an instance that is inadvertently publicly accessible and acts as an attack vector for hackers.

The principle of least privilege is important for mitigating damages from poorly configured resources or maliciously modified scripts and applies to Infrastructure as Code (IaC) at three levels:

  1. Defining who is and is not authorized to run the scripts.
  2. Limiting the permissions of authorized IaC users to what is necessary to perform their tasks.
  3. The IaC scripts should ensure that the permissions granted to the various resources it creates are limited to what is required for them to perform their work.

Most of the remaining IaC security aspects relate to the resources created by the scripts themselves. For example, a properly segmented network architecture can contain the damage from internal or external attacks. Including an encrypt = true line in your Infrastructure as Code (IaC) scripts protects data at rest, while invoking managed services such as AWS Certificate Manager can protect data in transit. Other best practices to follow include setting up the usual protection mechanisms against DDoS and common HTTP attacks, such as a web application firewall.

What Is IaC in DevSecOps?

In the context of infrastructure as code, DevOps entails close cooperation between developers and DevOps engineers as well as employing IaC as part of continuous deployment. “DevSecOps,” also coined the “shift-left approach,” is the integration of security aspects into DevOps. When it comes to IaC, DevSecOps means to integrate security right from the start of the project and to keep a tight grip on security at all times. It also means using the appropriate tools for your workload as well as automating security (sometimes called security as code).

DevSecOps Adoption: Integrating Security into the CI/CD Pipeline

DevSecOps is as much about the organizational culture (in particular, the free flow of information between diverse teams) as it is about technology. DevSecOps, as part of the DevOps world and where culture and technology converge, pushes for automation at all levels. IaC is a fundamental aspect of DevOps, as it seeks to automate entire deployments. The DevSecOps aspect of IaC is about automating security best practices and using the tools adapted to the specific workload in order to improve security.

Infrastructure-as-Code Security Tools

In reality, there are few security tools out there specifically designed to apply security best practices at the DevSecOps Infrastructure as Code level. Third-party security tools such as DataDog, Splunk, Jaeger, and others can be used outside the IaC scripts. And there are cloud-native security services that can be enabled from IaC scripts (such as Amazon GuardDuty, Amazon Macie, and Amazon Inspector).

Snyk IaC Security, however, is one of the few tools that has been designed from the ground up to help development and security teams work together to secure the company’s IaC code.

snyk infrastructure as code demo

Snyk IaC reduces risk by eliminating manual, error-prone code reviews. It fits seamlessly into developer workflows to reinforce secure IaC development practices, with:

  • Continuous testing and monitoring of code modules for misconfigurations and highlighting detected configuration issues directly in the code
  • Customizable built-in rules that embed security best practices throughout the application lifecycle
  • Curated security information so that developers can quickly fix issues and move on
  • Automatic code fixes when merging, ensuring that secure configurations are always upheld

Snyk Infrastructure as Code is an integral part of the Snyk platform that embeds and upholds security best practices across the entire cloud native application stack, including open source, containers, and Kubernetes—in addition to infrastructure as code.


With infrastructure as code sitting at the top of the orchestration layers, security is made more manageable and easier to maintain. While there are many solutions out there that can be enabled by IaC, only a mere few allow you to apply security best practices at the IaC level. Finding the right tools as well as staff training and education that fosters cooperation among teams is another crucial element. Apply security best practices to IaC code when using Terraform and Kubernetes. Register for free to secure your projects with Snyk.

Jim Armstrong
October 19, 2020
| By Jim Armstrong