In the current continuous integration and continuous deployment (CICD) environment, the scans are conducted on cloud resources after deployment. As a result, you secure the cloud resources post deployment. We are introducing Infrastructure as Code (IaC) Security feature for AWS Terraform. With arrival of IaC scan, you can now secure your code (IaC) before it gets deployed in the cloud environment.
The new Qualys IaC Security feature will help shifting security and compliance posture of cloud security to left, allowing evaluation of cloud resource misconfigurations even before actual deployment. Using this feature, cloud infrastructure teams can prevent misconfigurations before it really happens.
The first step towards IaC security is triggering an IaC scan. In the current scenario, the scans are executed after the cloud resources are deployed in the cloud environment. As a result, fixing of misconfigurations happens post deployment. However, using this feature, you can trigger the scan on IaC (configuration file) before the cloud resources are deployed in the environment.
Once you trigger the scan, we will evaluate the configuration file (IaC) against pre-defined controls.
IaC scanning works by uploading the template file or zip containing multiple files to TotalCloud, either via our CLI or API. The template is processed, and the response returns a scan ID. The returned scan id then can be used to fetch the scan report which provides the evaluation results giving you a clear picture of the misconfigurations (if any) that need to be fixed to secure your code before the actual deployment.
You can scan the templates either through CLI commands or using APIs:
Scanning Template Files Using CLI
Scanning Template Files Using API
Want to know more?