Search

Infrastructure as Code (IaC) Security

Identify and fix misconfigurations in Terraform, CloudFormation, ARM, Kubernetes, and other IaC templates
Request a trial
Infrastructure as Code (IaC) Security Front
Infrastructure as Code (IaC) Security Back

Infrastructure as Code (IaC) enables engineers to version control, deploy, and improve cloud infrastructure while leveraging DevOps processes. This also presents an opportunity to proactively improve the posture of cloud infrastructure and reduce the burden on security and operations teams.

Read about Unit 42’s latest research on the state of infrastructure as code security

Download the report

Cloud native infrastructure is evolving

For the sake of agility, businesses are adopting new cloud native design patterns and cloud services, including infrastructure as code. Without cloud native security that understands these new technologies, the rapid adoption creates higher levels of risk. Securing these new technologies without adding developer friction is essential to improving cloud security posture.

DevOps moves fast

DevOps change rates are measured in days, not months, enabled by agile methodologies with CI/CD processes and tools that maximize automation. If security isn’t embedded in these processes and tools, it gets left behind and breaks the release cycle. This doesn’t work in dynamic environments.

Reactive security doesn’t scale

Waterfall review cycles break agile workflows and force developers to context switch. Meanwhile, only addressing issues in runtime leads to overwhelmed security teams. Early feedback fixes the problem at the source, freeing up both development and security teams.

Automated Infrastructure as Code security

Prisma Cloud scans IaC templates for misconfigurations and exposed secrets across the development lifecycle, embedding security in integrated development environments, continuous integration tools, repositories and runtime environments. Prisma Cloud enforces policy-as-code early through automation, preventing deploying security issues and providing automated fixes.
  • Continuous governance to enforce policies in code
  • Embedded in DevOps workflows and tooling
  • Automated misconfiguration fixes via pull requests
  • Backed by the community
    Backed by the community
  • Developer-friendly integrations
    Developer-friendly integrations
  • Automated fixes
    Automated fixes
  • Built-in guardrails
    Built-in guardrails
  • Compliance benchmarks
    Compliance benchmarks
  • Secrets security
    Secrets security
The Prisma Cloud Solution

Our approach to IaC security

Backed by the community

Prisma Cloud IaC security is built on the open source project Checkov. Checkov is a policy-as-code tool with millions of downloads that checks for misconfigurations in IaC templates such as Terraform, CloudFormation, Kubernetes, Helm, ARM Templates and Serverless framework. Users can leverage hundreds of out-of-the-box policies and add custom rules. Prisma Cloud augments Checkov with simplified user experience and enterprise features.

  • Check for policy misconfigurations

    Checkov checks IaC templates against hundreds of out of the box policies based on benchmarks, such as CIS, HIPAA, PCI, and community sourced checks.

  • Leverage context aware policies

    Checkov’s policies include graph-based checks that allow multiple levels of resource relationships for complex policies such as higher severity levels for internet facing resources.

  • Extend capabilities and integrations

    Checkov is designed to be extensible, with the ability to add custom policies and tags, as well as CLIs designed to be added to continuous integration and other DevOps tools.

  • Integrate with Prisma Cloud to extend its capabilities

    Prisma Cloud augments Checkov’s open source capabilities with a history of scans, additional integrations, auto-fixes, Smart Fixes and more

Learn more
Backed by the community

Integrated as part of the pipeline

Involving developers in remediation is the fastest way to get things fixed. Prisma Cloud provides feedback directly in DevOps tools, including integrated development environments (IDE), continuous integration (CI) tools, and version control system (VCS).

  • Provide fast feedback throughout the development lifecycle

    Prisma Cloud integrates with IDEs, CI tools and VCS to provide feedback and guardrails in the tools developers already use.

  • Enable fixes with code review comments

    Native integrations with VCS creates comments with each new pull request for identified code security issues to make finding and fixing them easier.

  • View all IaC security issues in one place

    Prisma Cloud includes a centralized view of all misconfigurations and exposed secrets across scanned repositories, with filtering and searching to find code blocks and owners.

  • Build remediation work into DevOps workflows

    Integrations with collaboration and ticketing tools can generate tickets and alerts to notify the right teams to add remediations to DevOps tasks.

Learn more
Integrated IaC as part of the pipeline

Context aware and actionable feedback

When developers are moving as fast as possible to meet deadlines, providing policy violations without explanation just causes frustration. Prisma Cloud includes automatic remediations for many policies along with guidelines for all policies to provide the details to get misconfigurations fixed.

  • Context aware visibility and policies

    Prisma Cloud surfaces policy violations for resources and the dependencies, and policies can be based on context such as higher severity for internet exposed violations, helping with prioritization.

  • Provide actionable guidance

    Each policy violation comes with actionable guidelines about the misconfiguration along with guidance to remediate the issue.

  • Trace cloud to code with code owners for faster remediation

    Cloud resources are traceable back to IaC templates with the code modifier, to find the right resource and team to remediate issues fast.

  • Enable GitOps workflows

    Tracing cloud misconfigurations back to code enables issues identified in runtime to be fixed in code to maintain the benefits of scalability and auditability of IaC templates.

Learn more
Context aware and actionable feedback

Enforced guardrails

Under pressure to deliver features, developers follow the path of least resistance. Similarly, during an incident engineers can rush to fix issues directly in cloud environments, leaving IaC templates out of sync. Create a secure golden pipeline for infrastructure as code to be vetted and enforce GitOps best practices by leveraging automated guardrails.

  • Block severe issues from being added to repos and deployed

    Integrations with DevOps workflows allow for hard fails that can block misconfigured code or exposed secrets from entering a repository or deployment process.

  • Set custom levels for blocking builds

    Hard fail policy levels can be set per repository, along with per policy exclusions and per resource suppressions.

  • Extend policy sets with custom policies

    Add custom policies using Python, YAML or the UI policy editor to apply organization specific policies, including multiple resource, graph-based policies.

  • Provide actionable information about failed deployments

    Every scan includes a Code Review with the list of misconfigurations with guidelines to remediate the issue and auto-fixes for issues identified in pull requests.

Learn more
Enforced guardrails and prevent drift

Code Security modules

INFRASTRUCTURE AS CODE SECURITY

Automated IaC security embedded in developer workflows

Learn more

SOFTWARE COMPOSITION ANALYSIS (SCA)

Highly accurate and context-aware open source security and license compliance

Learn more

CI/CD SECURITY

Graph-based CI/CD security for application development environments

Learn more

SECRETS SECURITY

Full-stack, multidimensional secrets scanning across repos and pipelines.

Learn more
Featured Resources

Get more insight into what Prisma Cloud can do for your business

See all resources
Datasheet

Infrastructure as Code Security

Download
White Paper

The DevSecGuide to Infrastructure as Code

Download
VIDEO

What is Infrastructure as Code (IaC)?

Watch now
WHITE PAPER

Complete Guide to Operationalizing IaC Security

Download
Blog

How To Adopt Infrastructure as Code With a Secure-by-Default Strategy

Read now
DATASHEET

Code Security

Download

Customer Stories

Hear how Pokemon, Sabre and ElevenPaths take advantage of Prisma Cloud's full lifecycle security and full stack protection.

Cloud security basics

Learn about DevSecOp trends and get practical tips from developers, industry leaders and security professionals.

The latest from our blog

Start with a piece that focuses on container security with Kubernetes cluster awareness, then dive into the rest.

Get the latest news, invites to events, and threat alerts