Safeguard
Infrastructure Security

What is Infrastructure as Code (IaC)

IaC turns infrastructure into versioned code, but one bad Terraform default can replicate a security hole across every environment it touches.

Priya Mehta
DevSecOps Engineer
Updated 7 min read

Infrastructure as Code (IaC) is the practice of defining servers, networks, load balancers, and cloud resources in text files — usually HCL, YAML, or JSON — that a tool like Terraform or AWS CloudFormation reads and converts into running infrastructure. It's become a foundational infrastructure as code DevOps practice precisely because it lets platform and application teams collaborate through pull requests instead of ticket queues. Instead of clicking through the AWS console to launch an EC2 instance or open a security group, an engineer commits a .tf file to Git, opens a pull request, and lets a pipeline run terraform apply. HashiCorp shipped Terraform in July 2014; AWS CloudFormation predates it by three years, launching in 2011. Today a single Terraform module can provision hundreds of interdependent AWS resources — VPCs, subnets, IAM roles, RDS instances — in one apply run that takes minutes instead of the days manual provisioning used to require. That speed is exactly why one misconfigured line in a shared template can replicate the same security hole across every environment it touches, from dev to production, in a single deploy.

What Is Infrastructure as Code (IaC)?

Infrastructure as Code is the management of IT infrastructure through machine-readable definition files instead of manual configuration, interactive consoles, or one-off shell scripts. An IaC file declares the desired end state — "this S3 bucket should exist, be encrypted with KMS, and deny public access" — and a provisioning engine reconciles the live environment to match it. This is different from a shell script that runs a sequence of imperative commands, because IaC tools like Terraform maintain a state file that tracks exactly which resources they created and can compute a diff (terraform plan) before touching anything. The three most widely adopted flavors are declarative (Terraform, CloudFormation, Bicep), imperative-with-general-purpose-languages (Pulumi, using Python, TypeScript, or Go), and configuration management (Ansible, Chef, Puppet), which typically manages software state on existing machines rather than provisioning the machines themselves.

How Is IaC Different From Traditional Infrastructure Management?

Traditional infrastructure management relies on manual, one-off changes made through a web console or an SSH session, while IaC captures every change as versioned code that can be reviewed, tested, and re-run identically. This distinction is often called "ClickOps" versus "GitOps": a ClickOps change to a security group in the AWS console leaves no diff, no reviewer, and no audit trail beyond CloudTrail logs, whereas the same change in a Terraform pull request gets a terraform plan output, a required approval, and a permanent Git commit tied to an author. Manual environments also drift — a engineer patches one production server by hand during an incident at 2 a.m., and six months later nobody can explain why that one host behaves differently from the other 40 in the fleet. IaC eliminates drift by making the code the single source of truth: if the live environment doesn't match the template, the next apply either corrects it or fails loudly, which is precisely the property that makes IaC auditable in a SOC 2 or ISO 27001 change-management control. This shift from ClickOps to reviewable, versioned templates is a big part of why infrastructure as code DevOps workflows replaced manual console changes as the default at most engineering organizations.

What Tools Are Used to Implement Infrastructure as Code?

The dominant IaC tools are Terraform, AWS CloudFormation, Pulumi, Azure Bicep, and Kubernetes manifests, each tied to a different provisioning model. Terraform, now maintained under IBM/HashiCorp after the 2024 acquisition, uses its own HCL syntax and a public registry with more than 3,000 provider integrations covering AWS, Azure, GCP, Datadog, and hundreds of SaaS platforms. AWS CloudFormation is AWS-native, written in JSON or YAML, and integrates directly with CloudFormation StackSets for multi-account deployments — no separate state file to manage, since AWS hosts it. Pulumi, launched in 2018, lets teams write infrastructure in Python, TypeScript, Go, or C#, which appeals to teams that want unit tests around their infrastructure logic rather than a domain-specific language. Azure Bicep, released in 2020, is Microsoft's more readable alternative to raw ARM JSON templates. For containerized workloads, Kubernetes YAML manifests and Helm charts function as IaC for pods, services, and ingress rules, and tools like Crossplane extend that same declarative model to manage cloud resources directly from a Kubernetes control plane.

What Security Risks Does Infrastructure as Code Introduce?

Hardcoded secrets, overly permissive IAM policies, publicly exposed storage buckets, and disabled logging are the most common risks that get baked directly into IaC templates before a single resource is ever provisioned. Palo Alto Networks' Unit 42 Cloud Threat Report found that 63% of codebases used to build cloud infrastructure contained at least one insecure configuration, and separately reported that 76% of organizations were not scanning their IaC templates for misconfigurations at all. A frequent, concrete example: a Terraform resource block for an S3 bucket that omits block_public_acls = true and restrict_public_buckets = true will provision a bucket that's publicly listable the moment apply finishes — no separate "step two" required. Terraform state files (terraform.tfstate) are another recurring exposure vector, because by default they store resource attributes in plaintext, including database passwords and API keys passed as variables; state files left in unencrypted S3 backends or committed to public GitHub repos have repeatedly turned up in security research as a source of leaked credentials. Because IaC templates are reused across environments through modules, a single insecure default in a shared module can propagate the same open security group or unencrypted RDS instance into every team that imports it, turning one bad commit into a fleet-wide exposure.

How Do You Scan Infrastructure as Code for Misconfigurations?

Static analysis tools such as Checkov, tfsec, Terrascan, and KICS parse IaC templates against policy libraries before code ever merges, catching misconfigurations pre-deployment instead of after an incident. Checkov, originally released by Bridgecrew in 2019 and now maintained under Palo Alto Networks, ships with more than 1,000 built-in policies mapped to benchmarks like CIS AWS Foundations and PCI-DSS, and runs as a pre-commit hook, a CI/CD pipeline step, or a pull-request check in GitHub Actions and GitLab CI. The practical workflow is "shift-left": a developer opens a PR that adds a new RDS instance, the CI pipeline runs the scanner in under a minute, and if the instance lacks encryption at rest the PR gets a failing check and an inline comment before a reviewer even looks at it — not a ticket filed against production three weeks later. Policy-as-code frameworks like Open Policy Agent (Rego) and HashiCorp Sentinel take this further by letting security teams write custom organization-specific rules — for example, blocking any aws_security_group resource with an ingress CIDR of 0.0.0.0/0 on port 22 — and enforcing them as a mandatory gate in the Terraform Cloud run pipeline rather than relying on manual review.

How Safeguard Helps

Safeguard scans Terraform, CloudFormation, and Kubernetes manifests directly in the CI/CD pipeline, but the differentiator is context: Griffin AI correlates IaC misconfigurations against your live SBOM inventory and reachability analysis to tell you which flagged resources actually expose a reachable, internet-facing attack path versus which ones sit behind three layers of network isolation and pose negligible real-world risk. Rather than returning a flat list of every open security group or unencrypted volume, Safeguard ranks findings by exploitability so security teams fix the ones attackers can actually reach first. For issues that are unambiguous — a public S3 bucket, a missing encryption flag, an overly broad IAM policy — Safeguard opens an auto-fix pull request with the corrected HCL or YAML already written, so remediation lands as a reviewable diff instead of a backlog ticket. Combined with continuous SBOM generation and ingest across both application dependencies and infrastructure templates, Safeguard gives teams one place to see where code-level and infrastructure-level risk intersect.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.