Infrastructure as Code
Security implications of managing infrastructure through code. Includes version control for infrastructure, automated and repeatable deployments, preventing configuration drift, and embedding security in the deployment pipeline.
Understanding Infrastructure as Code
Infrastructure as Code (IaC) treats infrastructure configuration as software—defined in code, stored in version control, and deployed through automated pipelines. This approach has significant security implications, both positive and negative.
IaC security benefits: • Consistency — Every deployment is identical • Version control — Track all changes, enable rollback • Automation — Reduce human error • Auditability — Complete history of infrastructure changes
IaC security risks: • Secrets in code — Credentials accidentally committed • Misconfiguration at scale — Errors replicated to all deployments • Supply chain — Compromised modules/templates
In 2022, researchers found over 100,000 GitHub repositories containing exposed AWS credentials in IaC templates—demonstrating why secret scanning is critical in IaC pipelines.
IaC shifts security left—embedding it in the development process rather than adding it later.
Why This Matters for the Exam
Infrastructure as Code is tested on SY0-701 as organizations increasingly automate infrastructure. Questions cover IaC benefits, risks, and security controls.
Understanding IaC security helps with DevSecOps implementation, cloud security, and compliance automation. IaC enables security at scale but introduces new risks.
The exam tests both conceptual understanding and awareness of IaC-specific security considerations.
Deep Dive
What Is Infrastructure as Code?
IaC defines infrastructure in declarative or procedural code files rather than manual configuration.
Common IaC Tools:
| Tool | Description | Type |
|---|---|---|
| Terraform | Multi-cloud provisioning | Declarative |
| CloudFormation | AWS-native IaC | Declarative |
| Ansible | Configuration management | Procedural |
| Puppet | Configuration management | Declarative |
| Chef | Configuration management | Procedural |
Declarative vs. Procedural:
- •Declarative: Define desired end state (Terraform)
- •Procedural: Define steps to achieve state (scripts)
Why Does Version Control Matter for IaC Security?
Security Benefits:
- •Complete audit trail of changes
- •Enable code review for security
- •Rollback capability
- •Collaboration without conflicts
What Every Change Looks Like:
git log: commit abc123 - Added firewall rules for app tier commit def456 - Enabled encryption on database commit ghi789 - Removed public access from S3 Every change is documented and attributable
Branch Protection:
- •Require pull request reviews
- •Require security scanning before merge
- •Prevent direct commits to main branch
- •Require signed commits
How Do You Secure the CI/CD Pipeline for IaC?
Pipeline Security Controls:
| Stage | Security Control |
|---|---|
| Commit | Secret scanning, lint checks |
| Build | Static analysis, dependency scan |
| Test | Security testing, compliance checks |
| Deploy | Approval gates, environment controls |
| Runtime | Monitoring, drift detection |
Pipeline Security Considerations:
- •Secure pipeline credentials
- •Least privilege for deployment accounts
- •Approval requirements for production
- •Audit logging of deployments
- •Environment separation
What Is Configuration Drift and Why Is It Dangerous?
Configuration drift occurs when actual infrastructure state differs from IaC-defined state.
Drift Sources:
- •Manual changes in console
- •Emergency fixes not coded
- •Automated tools making changes
- •Incomplete IaC coverage
Drift Detection Example:
terraform plan Detected 3 changes not in configuration: - Security group rule added manually - Instance type changed - Tag modified
Preventing Drift:
- •Immutable infrastructure (replace don't modify)
- •Continuous state checking
- •Restrict console access
- •Alert on detected drift
- •Automated remediation
What Are the Security Risks of Infrastructure as Code?
Secrets in Code:
# BAD - Secret in code password = "SuperSecret123!" # GOOD - Reference to secret manager password = data.aws_secretsmanager_secret.db_password
Misconfiguration at Scale:
- •One bad template → many vulnerable resources
- •S3 public access in template → all buckets public
- •Security testing templates is essential
Supply Chain Risks:
- •Malicious public modules
- •Compromised registries
- •Unverified community templates
IaC Security Best Practices
| Practice | Description |
|---|---|
| Secret management | Use vaults, never hardcode |
| Policy as Code | Automated compliance checking |
| Module verification | Review third-party modules |
| Least privilege | Minimal deployment permissions |
| State file protection | Encrypt and secure state |
| Code review | Security review for IaC changes |
How CompTIA Tests This
Example Analysis
Scenario: A security audit reveals that an organization's cloud infrastructure has drifted significantly from documented configurations. Investigation shows developers made "quick fixes" directly in the AWS console, bypassing the Terraform-based IaC process. Several security groups have overly permissive rules that weren't in the original templates.
Analysis - IaC Drift Problem:
What Happened:
- •IaC defines secure configuration
- •Developers bypassed process for speed
- •Manual changes created drift
- •Security controls weakened
- •Actual state ≠ Documented state
Security Implications:
- •Audit trail incomplete (console changes harder to track)
- •Compliance gaps (documented ≠ actual)
- •Security controls bypassed
- •Reproducibility lost
- •Unknown attack surface
Resolution:
Immediate:
- 1.Run drift detection (terraform plan)
- 2.Identify all differences
- 3.Evaluate security impact of changes
- 4.Decide: incorporate into IaC or remediate
Long-term:
- 1.Restrict console access (read-only for most)
- 2.Implement continuous drift detection
- 3.Automated remediation for critical drift
- 4.Change culture: "If it's not in code, it didn't happen"
- 5.Emergency change process that still uses IaC
Key insight: IaC only provides security benefits if it's the ONLY way infrastructure changes. Bypassing IaC negates its advantages and creates security blind spots.
Key Terms
Common Mistakes
Exam Tips
Memory Trick
Think of IaC like a recipe book for your kitchen:
Your infrastructure is a restaurant kitchen. Without IaC, every chef makes dishes differently—inconsistent results, no record of what was changed when something goes wrong.
- •With IaC (the recipe book):
- •Every dish is made the same way (consistency)
- •Changes to recipes are tracked (version control)
- •You can see who modified a recipe and when (audit trail)
- •If a dish goes wrong, revert to the old recipe (rollback)
Configuration drift is like a chef adding their own ingredients without writing it down. Now nobody knows what's actually in the dish, and you can't reproduce it.
Secrets in code is like writing your safe combination in the recipe book and putting it on a public shelf.
The golden rule: If it's not in the recipe book (IaC), it didn't happen. No "secret family recipes" (manual changes) allowed.
Test Your Knowledge
Q1.An organization uses Terraform to manage cloud infrastructure, but security audit finds configurations that don't match the Terraform templates. What is this called?
Q2.What is the PRIMARY security risk of committing infrastructure code to a public repository without proper review?
Q3.What approach prevents configuration drift by deploying new instances rather than modifying existing ones?
Want more practice with instant AI feedback?
Continue Learning
Ready for the Exam?
See exactly where you stand on this concept and 182 others.
99% pass rate · Pass guarantee