Skip to main content

IaC Security Overview

Lacework IaC (Infrastructure as Code) Security is a software-as-a-service (SaaS) automation platform for IaC management that supports Terraform, CloudFormation, Kubernetes and other IaC Languages (see Language Support for details). It quickly detects security vulnerabilities and provides feedback through pull requests. This empowers developers to continue developing in a familiar way without worrying about context switching.

How does it work?

Lacework IaC Security has a bot (iacbot) that integrates directly with GitHub and GitLab. It passes each commit and pull request through a processing pipeline that performs static analysis, plan generation and custom policy checks. It writes the results of these checks back to GitHub and GitLab pull requests to facilitate efficient code review. DevOps, site reliability engineers, and security teams can be sure that only changes that have passed through this processing pipeline are allowed to be deployed.

Benefits

Lacework IaC Security:

  • Helps you deliver secure IaC
  • Reduces risk of security incidents in production
  • Decreases time and effort of security remediation
  • Reduces costs
  • Accelerates deployment
  • Reduces errors
  • Increases infrastructure efficiency

Terminology

Run/Scan - Periodic evaluation of your company’s integrated repositories by an IaC tool

Job - 0-N Scans

Assessment - A grouping of Job results for a target (for example: a repository).

Findings - All security issues that IaC Assessment detects are called Findings.

iacbot - Lacework IaC Security’s bot that integrates directly with GitHub and GitLab.

Policies - Your security policies such as “GitHub repositories shouldn’t be public”. The policy might have a corresponding compliance security rule such as CIS or HIPAA.

Pull Request - This is a method to submit contributions to a development project. The contributor requests the repository owner to review the code that they want to merge into the project.

Suppression - You can suppress a finding that IaC Security reports when it is not an issue. There are various suppression levels. You can suppress a finding for a specific Resource (see Use Findings), Organization Policy (see Modify IaC Security Policies or Repo Level (see Configure iacbot for further details).

Violations - During a scan, IaC Security identifies issues when the code does not conform to a policy in runtime. This is a violation.