Improve your security posture by implementing Infrastructure as Code
Updated: Oct 26, 2022
Creating and operating infrastructure in the public cloud is an API call away! The request to create a service in the public cloud happens through an Application Programming Interface (API). We can create the same service if we use the Web Console as if we used the CLI (command line interface) because they all use the very same API.
Let’s review an example - we need to create a simple solution based on these components:
In order to implement the solution, we can go through the Web Console and by clicking to create the infrastructure. This approach has some disadvantages - it’s not easily repeatable, it’s hard to audit, and it’s error-prone.
Infrastructure as Code (IaC) is a term that has been used to describe the process of managing and provisioning computing infrastructure (e.g. servers, storage, networks) through machine-readable definition files or scripts.
Automating resource provisioning has multiple advantages:
Security - your team can review the infrastructure and the changes before any services are created or modified!
Auditability and Traceability - the code to manage resources can be saved in a version control system (Git) to have full traceability and audit log. You can always check who changed what and when.
Repeatability and Consistency - the very same code can be reused to create multiple environments (Dev/Stage/Prod), and they would be all consistent;
Documented - The infrastructure is documented, making it easier for onboarding people to the team
Part of the CI/CD Process - Infrastructure deployment can be integrated with the application deployment to create holistic deployments.
Cost-Efficient - the infrastructure changes can be reviewed, even by automated systems, to show how much the resources are going to cost before they are created!
Two of the most widely adopted tools to implement the Infrastructure as Code (IaC) approach on AWS are Terraform and CloudFormation. They both have create, update and delete functionalities, and they also manage the dependency between resources. Looking at the example above, the tool knows first to create the Networking connectivity layer; then the database and the compute resources.
Terraform is an open-source infrastructure as code software tool that enables you to safely and predictably create, change, and improve infrastructure.
AWS CloudFormation is a service that gives developers and businesses an easy way to create a collection of related AWS and third-party resources, and provision and manage them in an orderly and predictable fashion.
Improving the Security Posture
By shifting security to the “left” on the deployment pipeline we can automatically scan our infrastructure code for vulnerabilities!
Tools can show us warnings, based on a predefined security rule set.
Checkov scans cloud infrastructure configurations to find misconfigurations before they're deployed. Checkov uses a common command line interface to manage and analyze infrastructure as code (IaC) scan results across platforms such as Terraform, CloudFormation, Kubernetes, Helm, ARM Templates and Serverless framework.
AWS CloudFormation Guard is an open-source tool that helps validate your AWS CloudFormation templates against a rule set to keep AWS resources in compliance with company guidelines.
Snyk Infrastructure as Code (Snyk IaC) embeds secure development practices throughout the infrastructure lifecycle, giving developers the visibility and expertise to proactively remediate security issues.
Improving the cost efficiency
By implementing tools to scan our infrastructure code we can gain visibility on the potential cost change.
Infracost - Cloud cost estimates for Terraform in pull requests; Show the cloud cost of each Infrastructure change in CI/CD
Infrastructure as Code is a way of building and managing infrastructure in an automated way. It can help with meeting compliance standards and be proactive about security.
It is also a great way to manage the growth of your infrastructure.