Skip to main content

IaC Security Overview

Lacework IaC (Infrastructure as Code) Security is a software-as-a-service (SaaS) automation platform for IaC management that supports Terraform, Kubernetes, CloudFormation and Cloud Development Kit (CDK). It quickly detects security vulnerabilities and provides feedback through pull requests. This empowers developers to continue developing in a familiar way without worrying about context switching.

How does it work?

Lacework IaC Security has a bot (iacbot) that integrates directly with GitHub and GitLab. It passes each commit and pull request through a processing pipeline that performs static analysis, plan generation, sanity checks, and custom policy checks. It writes the results of these checks back to GitHub and GitLab pull requests to facilitate efficient code review. DevOps, site reliability engineers, and security teams can be sure that only changes that have passed through this processing pipeline are allowed to be deployed.

Benefits

Lacework IaC Security:

  • Helps you deliver secure IaC
  • Reduces risk of security incidents in production
  • Decreases time and effort of security remediation
  • Reduces costs
  • Accelerates deployment
  • Reduces errors
  • Increases infrastructure efficiency

Terminology

Assessment - Periodic evaluation of your company’s security status.

Findings - All security issues that IaC Assessment detects are called Findings.

iacbot - Lacework IaC Security’s bot that integrates directly with GitHub and GitLab.

Policies - Your security policies such as “GitHub repositories shouldn’t be public”. The policy might have a corresponding compliance security rule such as CIS or HIPAA.

Pull Request - This is a method to submit contributions to a development project. The contributor requests the repository owner to review the code that they want to merge into the project.

Suppression - You can suppress a finding that IaC Security reports when it is not an issue. There are various suppression levels. You can suppress a finding for a specific issue or for all issues.

Violations - During a scan, IaC Security identifies issues when the code does not conform to a policy in runtime. This is a violation.