Infrastructure-as-Code Security

Infrastructure-as-Code (Terraform, CloudFormation, Pulumi) defines cloud resources in code. Security misconfigurations in IaC are deployed at scale and often persist undetected.

Open S3 bucket (Terraform):

resource "aws_s3_bucket" "data" {
  bucket = "company-sensitive-data"
}

resource "aws_s3_bucket_acl" "data_acl" {
  bucket = aws_s3_bucket.data.id
  acl    = "public-read"  # DANGEROUS: anyone can read all objects!
}

Unrestricted security group:

resource "aws_security_group" "database" {
  ingress {
    from_port   = 5432
    to_port     = 5432
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  # PostgreSQL open to entire internet!
  }
}

Hardcoded password in IaC:

resource "aws_db_instance" "main" {
  password = "my-db-password"  # Committed to git in plain text!
}

Scan IaC files before deployment to catch misconfigurations early, and use proper variable references for secrets.

Secure Terraform patterns:

# Secure S3 bucket
resource "aws_s3_bucket_public_access_block" "data" {
  bucket                  = aws_s3_bucket.data.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

# Restricted security group
resource "aws_security_group" "database" {
  ingress {
    from_port       = 5432
    to_port         = 5432
    protocol        = "tcp"
    security_groups = [aws_security_group.app.id]  # App tier only!
  }
}

# Secrets from SSM Parameter Store
data "aws_ssm_parameter" "db_password" {
  name = "/prod/db/password"
}

resource "aws_db_instance" "main" {
  password = data.aws_ssm_parameter.db_password.value
}

IaC scanning tools:

• Checkov: Open-source, supports Terraform, CloudFormation, Kubernetes
• tfsec: Terraform-specific, fast static analysis
• Snyk IaC: Commercial with free tier
• AWS Config / Security Hub: Runtime compliance checking