Implementing Secure Infrastructure as Code (IaC) Practices

Ensuring security is integrated into infrastructure provisioning through code-based configurations.

0 likes
10 views

Rule Content

---
description: Enforce secure Infrastructure as Code (IaC) practices to prevent unsafe code, exposure of secrets, and insecure configurations.
globs: **/*.tf, **/*.yaml, **/*.yml, **/*.json
tags: [security, infrastructure-as-code, IaC]
priority: 1
version: 1.0.0
---

# Implementing Secure Infrastructure as Code (IaC) Practices

## Context
- Applies to all Infrastructure as Code (IaC) configurations, including Terraform, CloudFormation, and Kubernetes manifests.
- Ensures security is integrated into infrastructure provisioning through code-based configurations.

## Requirements

- **Avoid Hardcoding Sensitive Information**: Do not hardcode sensitive data such as passwords, API keys, or secrets in IaC files. Use secure methods like environment variables or secret management tools (e.g., AWS Secrets Manager, Azure Key Vault).

- **Implement Least Privilege Access**: Define access controls and permissions following the principle of least privilege. Ensure that IAM roles, policies, and security groups grant only the necessary permissions required for the resource's function.

- **Enable Encryption for Data at Rest and in Transit**: Configure resources to encrypt data at rest and in transit. For example, enable encryption for storage services (e.g., S3 buckets, Azure Storage) and enforce HTTPS for web services.

- **Use Secure Defaults and Configurations**: Set secure default configurations for all resources. For instance, disable public access to storage buckets and databases unless explicitly required.

- **Regularly Update and Patch Resources**: Ensure that all resources are using the latest versions and patches to mitigate known vulnerabilities. Regularly review and update IaC configurations to incorporate security updates.

- **Implement Logging and Monitoring**: Configure comprehensive logging and monitoring for all resources to detect and respond to security incidents promptly. Utilize cloud-native monitoring services and set up alerts for suspicious activities.

## Examples

<example>
# Secure S3 bucket configuration in Terraform
resource "aws_s3_bucket" "secure_bucket" {
  bucket = "my-secure-bucket"

  # Disable public access
  acl = "private"

  # Enable server-side encryption
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }

  # Enable versioning
  versioning {
    enabled = true
  }

  # Enable logging
  logging {
    target_bucket = "my-log-bucket"
    target_prefix = "log/"
  }
}
</example>

<example type="invalid">
# Insecure S3 bucket configuration in Terraform
resource "aws_s3_bucket" "insecure_bucket" {
  bucket = "my-insecure-bucket"

  # Public access enabled
  acl = "public-read"

  # No encryption
  # No versioning
  # No logging
}
</example>

Categories

Security

Tags

#iac security #infrastructure automation #devsecops