Infrastructure as Code (IaC) Security

Identify and fix misconfigurations in Terraform, CloudFormation, ARM, Kubernetes, and other IaC templates

Request a trial

Infrastructure as Code (IaC) Security Front

Infrastructure as Code (IaC) Security Back

WHY IT MATTERS
OUR APPROACH
MODULES
RESOURCES

Infrastructure as Code (IaC) enables engineers to version control, deploy, and improve cloud infrastructure while leveraging DevOps processes. This also presents an opportunity to proactively improve the posture of cloud infrastructure and reduce the burden on security and operations teams.

Read about Unit 42’s latest research on the state of infrastructure as code security

Download the report

Cloud native infrastructure is evolving

For the sake of agility, businesses are adopting new cloud native design patterns and cloud services, including infrastructure as code. Without cloud native security that understands these new technologies, the rapid adoption creates higher levels of risk. Securing these new technologies without adding developer friction is essential to improving cloud security posture.

DevOps moves fast

DevOps change rates are measured in days, not months, enabled by agile methodologies with CI/CD processes and tools that maximize automation. If security isn’t embedded in these processes and tools, it gets left behind and breaks the release cycle. This doesn’t work in dynamic environments.

Reactive security doesn’t scale

Waterfall review cycles break agile workflows and force developers to context switch. Meanwhile, only addressing issues in runtime leads to overwhelmed security teams. Early feedback fixes the problem at the source, freeing up both development and security teams.

Automated Infrastructure as Code security

Prisma Cloud, powered by Bridgecrew, scans IaC templates for misconfigurations across the development lifecycle, embedding security in integrated development environments, continuous integration tools, repositories and runtime environments. Prisma Cloud enforces policy-as-code early through automation, preventing deploying misconfigurations and providing automated fixes and Smart Fixes.

Continuous governance to enforce policies in code
Embedded in DevOps workflows and tooling
Automated misconfiguration fixes via pull requests

Backed by the community
Developer-friendly integrations
Automated fixes
Built-in guardrails
Compliance benchmarks

The Prisma Cloud Solution

Our approach to IaC security

Backed by the community

Prisma Cloud IaC security is built on the open source project Checkov. Checkov is a policy-as-code tool with millions of downloads that checks for misconfigurations in IaC templates such as Terraform, CloudFormation, Kubernetes, Helm, ARM Templates and Serverless framework. Users can leverage hundreds of out-of-the-box policies and add custom rules. Prisma Cloud augments Checkov with simplified user experience and enterprise features.

Check for policy misconfigurations

Checkov checks IaC templates against hundreds of out of the box policies based on benchmarks, such as CIS, HIPAA, PCI, and community sourced checks.
Leverage context aware policies

Checkov’s policies include graph-based checks that allow multiple levels of resource relationships for complex policies such as higher severity levels for internet facing resources.
Extend capabilities and integrations

Checkov is designed to be extensible, with the ability to add custom policies and tags, as well as CLIs designed to be added to continuous integration and other DevOps tools.
Integrate with Prisma Cloud to extend its capabilities

Prisma Cloud augments Checkov’s open source capabilities with a history of scans, additional integrations, auto-fixes, Smart Fixes and more

Learn more

Integrated IaC as part of the pipeline

Involving developers in remediation is the fastest way to get things fixed. Prisma Cloud provides feedback directly in popular DevOps, including integrated development environments (IDE), continuous integration (CI) tools, and version control system (VCS). Additional aggregation and reporting are available in the Prisma Cloud platform.

Provide fast feedback throughout the development lifecycle

Prisma Cloud integrates with IDEs, CI tools and VCS to provide feedback and guardrails in the tools developers already use.
Enable fixes with code review comments

Native integrations with VCS creates code comments with each new pull request for identified misconfigurations to make finding and fixing misconfigurations easier.
View all code misconfigurations in one place

Prisma Cloud includes a centralized view of all misconfigurations across scanned repositories, with filtering and searching to find code blocks and owners.
Build remediation work into DevOps workflows

Integrations with collaboration and ticketing tools can generate tickets and alerts to notify the right teams to add remediations to DevOps tasks.

Learn more

Context aware and actionable feedback

When developers are moving as fast as possible to meet deadlines, providing policy violations without explanation just causes frustration. Prisma Cloud includes automatic remediations for many policies along with guidelines for all policies to provide the details to get misconfigurations fixed.

Context aware visibility and policies

Prisma Cloud surfaces policy violations for resources and the dependencies, and policies can be based on context such as higher severity for internet exposed violations, helping with prioritization.
Provide actionable guidance

Each policy violation comes with actionable guidelines about the misconfiguration along with guidance to remediate the issue.
Trace cloud to code with code owners for faster remediation

Cloud resources are traceable back to IaC templates with the code modifier, to find the right resource and team to remediate issues fast.
Enable GitOps workflows

Tracing cloud misconfigurations back to code enables issues identified in runtime to be fixed in code to maintain the benefits of scalability and auditability of IaC templates.

Learn more

Enforced guardrails

Under pressure to deliver features, developers follow the path of least resistance. Similarly, during an incident engineers can rush to fix issues directly in cloud environments, leaving IaC templates out of sync. Create a secure golden pipeline for infrastructure as code to be vetted and enforce GitOps best practices of maintaining configurations in code by leveraging guardrails.

Block severe misconfigurations from being added to repos and deployed

Integrations with CI tools allow for hard fails that can block misconfigured code from entering a repository or deployment process.
Set custom levels for blocking builds

Hard fail policy levels can be set per repository, along with per policy exclusions and per resource suppressions.
Extend policy sets with custom policies

Add custom policies using Python, YAML or the UI policy editor to apply organization specific policies, including multiple resource, graph-based policies.
Provide actionable information about failed deployments

Every scan includes a Code Review with the list of misconfigurations with guidelines to remediate the issue and auto-fixes for issues identified in pull requests.

Learn more

Cloud Code Security module

Infrastructure as Code Security

Automated IaC security embedded in developer workflows.

Learn more

Valuable IaC security documents

See all documents

PRISMA CLOUD

Datasheet