What news from AWS re:Invent last week will have the most impact on you?
Amazon Q, an AI chatbot for explaining how AWS works.
Super-fast S3 Express storage.
New Graviton 4 processor instances.
Emily Freeman leaving AWS.
I don't use AWS, so none of this will affect me.
DevOps / Security

These Infrastructure-as-Code Benefits Are Your Cloud Security Opportunities

A look at the inherent benefits of infrastructure-as-code (IaC) frameworks like Terraform and CloudFormation to secure the infrastructure they provision.
Sep 28th, 2020 12:00pm by
Featued image for: These Infrastructure-as-Code Benefits Are Your Cloud Security Opportunities

Bridgecrew sponsored this post.

Guy Eisenkot
As co-founder and VP of Product at Bridgecrew, Guy Eisenkot is paving the way for developer-first cloud security. Guy is passionate about making infrastructure security consumable and accessible to the people who can have the biggest impact and has been instrumental in Bridgecrew’s success thus far. Based in Tel Aviv, Guy previously headed up products at both Fortscale and RSA Security and is a retired IDF Major.

As infrastructure-as-code (IaC) adoption rises and more companies come out of the woodwork to address IaC security, we often find ourselves discussing the challenges that come along with IaC.

IaC, similar to any other emerging technology, can introduce new ambiguities about where infrastructure is being provisioned, who owns it, and how it’s being governed. As we’ve learned, those complexities can result in security errors and misconfigurations that can eventually lead to real-world risk. Our goal as a security industry is to help teams mitigate those risks. But we also want to show teams that IaC isn’t just a source of risk, but also a huge opportunity to transform the way teams keep their infrastructure secure.

In this post, we’ll look at leveraging the inherent benefits of IaC frameworks such as Terraform and CloudFormation to secure the infrastructure they provision.


By transforming manual infrastructure configurations into machine-readable templates, IaC makes it so that all compute, storage and networking services can be deployed the same exact way every time. That level of consistency across resources and environments enables you to provision resources faster and with fewer resources. It also aids in maintaining high-quality standards, security best practices, and compliance with industry benchmarks.

Codified infrastructure provides the foundation for automation and testing — both of which are crucial for DevSecOps. For today’s multicloud, multiframework teams, it’s unrealistic to expect every infrastructure engineer — or even your security engineers — to stay up to date on every single cloud security policy and best practices.

Implementing policy enforcement through programmatic IaC scanning paves the way for unprecedented depth in security coverage and minimizes the risk of human error. Introducing that scanning into automated testing processes and building pipelines is also a benefit of IaC. By enabling continuous feedback earlier in the development lifecycle, IaC has the ability to turn previously reactive cloud security efforts into proactive IaC security processes.

Cost and Time Savings

In addition to improving consistency, IaC makes it easier to apply configuration across exponential resources and environments, allowing engineers to spend less time doing repetitive, manual work. With IaC, it’s also much easier to de-provision infrastructure when it’s not in use, decreasing overall computing costs and maintenance expenses.

Those time and cost-savings benefits also apply to IaC security.

Without IaC, cloud security typically happens outside of the development lifecycle; wherein cloud security solutions monitor deployed resources for errors. When issues are surfaced, they get prioritized against new features and customer requests to then are scheduled alongside other bug fixes. That might not be so bad if you’re fixing a handful of issues for an upcoming SOC2 audit. But for teams with robust cloud environments and a CSPM, we’re probably talking hundreds — if not thousands — of misconfigurations that need to be addressed.

Although we know how important that feedback and visibility are, we also know how expensive and time-consuming remediations can be for engineering. By shifting cloud provisioning left, IaC can also shift cloud visibility and security left. Addressing errors before they’re deployed saves you time chasing down bugs in production. Fixing issues earlier in the development cycle also means less context switching and frustration for engineers.

Collaboration Between Security and DevOps

When cloud security is shifted left, it also becomes more accessible to engineering and DevOps teams. With IaC, security is becoming more and more of a software challenge. To maintain a strong cloud security posture over time as new infrastructure is provisioned, new features are built and new technologies are adopted, security needs to be a collaborative effort.

IaC encourages collaboration between developers and operators by introducing a common language. By moving infrastructure governance into a centralized place and transforming one-off configuration into repeatable components, IaC helps keep everyone on the same page. IaC also introduces a single source of truth across cloud providers, compliance benchmarks, and security best practices.

It also supports customizability, which is crucial for teams working with infrastructure across disciplines. Each workflow will have different requirements and goals, and each team should be able to govern those workflows on their own.

At this point, it’s clear that IaC adoption is inevitable. Although we’re still figuring out how to fully embrace IaC to keep our infrastructure secure, it’s clear that it presents both opportunities and challenges. Understanding its risks is important, but embracing its benefits is the key to successful cloud DevSecOps.

Feature image via Pixabay.

At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email:

Group Created with Sketch.
TNS owner Insight Partners is an investor in: The New Stack.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.