Question: Are Infrastructure-as-Code (IaC) templates governed, version-controlled, and checked for security compliance before deployment?
-
Objective — Why This Matters
IaC accelerates deployments but can also replicate vulnerabilities at scale. Governance ensures security and consistency across environments. -
Maturity Levels (0 – 5)
No IaC; manual provisioning.
Some scripts used; no version control.
IaC templates stored in Git; peer review required.
Automated linting and security scanning.
Policy-as-code enforcement and approval workflows.
Continuous compliance validation and drift remediation.
- How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Convert manual builds to IaC scripts (Terraform, Ansible). |
| 1 → 2 | Store in Git; enable peer review and approvals. |
| 2 → 3 | Add automated security scanning (Checkov, Tfsec). |
| 3 → 4 | Introduce policy-as-code checks (OPA/Conftest). |
| 4 → 5 | Integrate continuous drift detection and CI/CD gates. |
-
People / Process / Technology Enablers
People – DevOps, Cloud Architect.
Process – GitOps workflow, review policy, rollback testing.
Technology – Terraform, Ansible, Checkov, OPA. -
Evidence Required
Git logs, review approvals, pipeline scan reports. -
Metrics / KPIs
• percentage of IaC commits reviewed before merge
• number of failed policy checks per release
• average time to resolve security violations -
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| IaC management | Terraform / Ansible | Declarative infra templates. |
| Scanning | Checkov / Tfsec | Static IaC vulnerability scanning. |
| Policy | OPA / Conftest | Enforce org rules in CI/CD. |
-
Common Pitfalls
Skipping reviews; using hard-coded credentials in templates. -
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO 27001 | A.8.9 / A.8.32. |
| NIST CSF 2.0 | PR.IP-1 / PR.DS-6. |
| CERT-In 2022 | Secure configuration automation. |
| NIRMATA Scoring | IS-Q10 ≥ Level 4 requires automated policy-as-code enforcement. |