How to adopt infrastructure as code with a secure-by-default strategy


    Since its inception, infrastructure as code (IaC) has transformed how application infrastructure is provisioned and configured. IaC allows you to easily manage, configure, update, secure, and scale your infrastructure via imperative or declarative configuration files. When built into your cloud strategy, IaC addresses notorious cloud challenges like scalability, availability, and consistency.

    Unfortunately, overlooking security considerations when first adopting IaC is all too common. Whether porting brownfield apps or building greenfield apps with IaC, it’s important to apply traditional security best practices to IaC. A reactive approach to security introduces complexity and friction that could be avoided by integrating security into your IaC strategy from day one.

    In this post, we’ll review what happens when you don’t proactively address IaC security and provide guidance to get you started as you build your security-first IaC strategy.

    Common problems with overlooking security as you build your IaC strategy

    Infrastructure as code provides a wide range of benefits and opportunities for development and DevOps teams, but ignoring security while building an IaC strategy can lead to misaligned security feedback and gaps down the line. When teams have to shore up their cloud infrastructure security after they’ve already embedded IaC in their workflows, there are a few common challenges they face:

    The misconfiguration snowball effect

    The IaC misconfiguration snowball effect can be a major pain point for teams that adopt IaC without building in security. IaC allows you to quickly deploy multiple environments at scale, but that also means that a single misconfiguration in your IaC codebase pre-deployment can result in your team fielding thousands of identical alerts across your replicated environments down the line.

    To mitigate the snowball effect, you have to identify and address issues at the source. Whether you surface feedback during development or build-time, stopping misconfigurations early will dramatically reduce the amount of time your team spends triaging and addressing misconfigurations.

    Cloud infrastructure drift

    When teams adopt IaC but ignore the GitOps best practice of honoring their configuration files as the single source of truth, they run the risk of introducing cloud infrastructure drift. Cloud drift occurs when the configuration of infrastructure in your runtime environment does not perfectly match the configuration of infrastructure in your build-time environment. Drift most often happens when someone on the Ops team makes a change to a running cloud resource out of band from the IaC file that was originally used to provision it.

    Drift reduces your team’s visibility into your resources and negates many of the benefits of IaC. It can also make it more challenging to identify misconfigurations. While the best approach is to maintain GitOps best practices and make all changes within IaC, it’s still important to have code to cloud visibility for when drift does inevitably happen.

    Overlooking open-source IaC components

    Many teams don’t account for the fact that much of their IaC uses open-source code components. While open-source code simplifies and expedites the IaC adoption process, these code components most likely have misconfigurations. For example, our research indicates that about half of open-source Terraform templates contain misconfigurations.

    Without a security-first approach to IaC, those misconfigurations are easy to miss and get deployed to production, becoming alerts for your security team to triage or, worse, weaknesses that bad actors can exploit. By embedding IaC security scanning into your tools and workflows, you can ensure that misconfigurations are identified and remediated before they are ever deployed into runtime environments.

    How to build a security-first IaC strategy

    Now that we’ve covered some common challenges when infrastructure as code security is overlooked, let’s talk about how you actually go about adopting a secure-by-default IaC strategy. These practices will help you build a top-notch IaC strategy that keeps cloud infrastructure security top of mind:

    Rely solely on your configuration files for information about your infrastructure

    It’s a best practice to maintain all specifications of your infrastructure in configuration files only with no additional documentation needed. This way, your configuration files constitute your entire infrastructure and can be referenced quickly to identify any security concerns.

    Employ version control

    Keep all your configuration files under source control using a tool like GitHub or GitLab. Version control gives you greater visibility into your cloud environment by providing information about changes to your configuration files, like which developer introduced a misconfiguration when they merged a specific pull request. Version control also allows you to quickly roll back to previous versions of files if any security concerns are identified.

    Maintain GitOps to establish parity and clarity

    Making your Git repository the single source of truth for all your cloud resources in your runtime environment is crucial when leveraging IaC. While drift is not a security concern in and of itself, it can present security gaps and challenges identifying misconfigurations.

    For example, if your team is fixing cloud misconfigurations in runtime rather than at the source, the secure configuration will be overwritten whenever someone on your team reapplies the IaC.

    Take advantage of all the IaC automation tools available

    IaC is code, and therefore it should be tested just like any other code. IaC is what enables shift-left security or DevSecOps for infrastructure, so capitalize on that opportunity!

    With IaC linters and security scanners, you’ll be able to validate that IaC is functional and secure before it’s deployed. Many tools, such as our own open-source security scanner, Checkov, exist as CLIs or IDE plugins, allowing for feedback as you’re writing and editing IaC. SaaS platforms such as Bridgecrew also provide native integrations with your VCS provider to make IaC feedback collaborative and in sync with your version control.

    Whether you’re using open-source tools or SaaS platforms, it’s a best practice to add multiple checkpoints across the development lifecycle—from code and commit to build and deploy. This is especially important for IaC because while addressing issues as early as possible is cheaper and faster, you gain more representation of resources the closer they are to their runtime state.


    Leveraging automation within IaC will reduce the number of runtime errors and alerts, thus minimizing time spent on repetitive security tasks.

    Implement a tagging strategy for code to cloud security traceability

    Consistently tagging resources is essential if you want to properly document and manage your cloud resources. However, manual tagging quickly becomes impossible as your cloud scales up. This is where automated tagging and tracing of your IaC comes in.

    Using an automated IaC tag rule manager like Yor enables you to centralize your tagging management and consistently apply tags across your repositories and organizations. With a consistent tagging strategy, you can quickly identify the files and lines of code that caused a runtime misconfiguration, locate where else those misconfigurations exist in your runtime environment and identify the developer on your team who last edited the code and can remediate the issue.

    Set up your CI/CD pipeline with security in mind

    CI/CD pipelines are vital for compiling, validating, and provisioning IaC. They provide an opportunity to embed security guardrails before IaC is deployed, but when not hardened, they also give bad actors a vector to gain privileged access.

    Keeping your CI/CD pipeline secure requires consistent auditing and maintenance of all owned and third-party CI/CD elements. Additionally, enforcing least privileged roles and permissions is crucial to minimize unauthorized access and avoid malicious code injection into your pipeline. You can also leverage IaC to create a known safe environment for each development and test lifecycle iteration.

    Determine how to store your secrets securely

    Having credentials readily at hand for the right people at the right time is vital to agile development, but storing them in the wrong place can give bad actors the keys to your critical infrastructure and sensitive data. Make sure you’re using a vault system for secrets encryption. Vaults will embed secrets into environment variables in your runtime environment and will require authentication methods to access those secrets. When you enable multi-factor authentication and other secure authorization measures, you’ll ensure that there are multiple layers of security protecting your secrets.

    Even if you only use vaults to encrypt your secrets, sometimes mistakes happen, and a developer embeds credentials in code. Because bad actors can easily steal these secrets by inspecting your code, you’ll want to scan your IaC templates for secrets in addition to using a secrets vault.

    Adopting IaC can be an exciting time as you take advantage of all the different automation and optimization capabilities IaC offers. IaC also presents an opportunity to scale your cloud environments without compromising security but requires a strategic plan that is secure by default from the start. As you get ready to expand your IaC security adoption, check out this process for building an IaC security and governance program for inspiration.

    Get similar stories in your inbox weekly, for free

    Share this story:

    Bridgecrew is the cloud security platform for developers. By leveraging automation and delivering security-as-code, Bridgecrew empowers teams to find, fix, and prevent misconfigurations in deployed cloud resources and in infrastructure as code.


    Latest stories

    How ManageEngine Applications Manager Can Help Overcome Challenges In Kubernetes Monitoring

    We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …

    AIOps with Site24x7: Maximizing Efficiency at an Affordable Cost

    In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …

    A Review of Zoho ManageEngine

    Zoho Corp., formerly known as AdventNet Inc., has established itself as a major player in …

    Should I learn Java in 2023? A Practical Guide

    Java is one of the most widely used programming languages in the world. It has …

    The fastest way to ramp up on DevOps

    You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

    Why You Need a Blockchain Node Provider

    In this article, we briefly cover the concept of blockchain nodes provider and explain why …

    Top 5 Virtual desktop Provides in 2022

    Here are the top 5 virtual desktop providers who offer a range of benefits such …