Skip to main content

Infrastructure Policy as Code

Enforcing security and compliance on Terraform and Kubernetes manifests before changes reach production.


Infrastructure Policy as Code

Why IaC scanning matters

Misconfigured S3 buckets, open security groups, and privileged pods are leading cloud breach vectors. Scanning at terraform plan time prevents drift before apply.

Tooling comparison

ToolStrength
CheckovBroad Terraform/CloudFormation/K8s rules
TerrascanPolicy-as-code with custom Rego
tfsecFast Terraform-focused checks
OPA / ConftestCustom organizational policies

Example policies

# Deny public S3 ACLs (conceptual OPA) deny[msg] { resource := input.resource.aws_s3_bucket[name] resource.acl == "public-read" msg := sprintf("S3 bucket %s must not be public", [name]) }

CI integration

terraform plan -out=plan.tfplan terraform show -json plan.tfplan > plan.json checkov -f plan.json --framework terraform --soft-fail-on MEDIUM

CIS alignment

Map policies to CIS AWS/Azure/GCP benchmarks for audit readiness. Tag each rule with control ID in policy documentation.

Operating model

  • Platform team maintains golden policies
  • Service teams request exceptions via ticket with expiry
  • Monthly report: top violated rules → training or guardrail automation