CIPA: A Recipe for Secure Infrastructure


Does the Infrastructure provide the necessary security safeguards? Did we increase our attack surface by standing up new ingress? Are we confidant our cloud infrastructure is protecting our data, identities, secrets, and network? How are we incorporating cloud-native functionality, like IAM, audit logging, and networking, in conjunction with the available underlying and non-native services to secure our Infrastructure?


C = Controls

I = Infratsructure-as-Code

P = Policy-as-Code

A = Automation (or Action!)

STAGE I : Controls

Security Controls and Guidelines

In some organizations, security controls are often not clearly defined and provided to infrastructure teams. Infrastructure teams should design and implement secure cloud resources such as AWS EC2, EKS, etc., based on the controls. Security controls should be as prescriptive as possible to take any ambiguity out of the equation.

STAGE II : Infrastructure-as-Code

Infrastructure-as-Code <> Codify Infrastructure based on the controls

Terraform is the primary Infrastructure-as-Code tool used across many small and large organizations. However, often there is no set of pre-defined Hardened and Compliant Terraform Modules. As a result, system and infrastructure engineers create ad-hoc and non-compliant Terraform modules to build cloud resources.

According to a study conducted by Bridgecrew, nearly 1 in 2 modules within the Terraform Registry are misconfigured. And the most common misconfigurations are in the Backup and Recovery, Logging, and Encryption categories.


STAGE III : Policy-as-Code

Policy-as-Code <> Codify Security Controls

Many organizations haven’t leveraged the shift-left paradigm in their application or infrastructure development cycles. There are no Infrastructure-as-Code verification stages to ensure non-compliant cloud resources are not deployed in production. This gap obviously won’t be fully addressed without automated Infrastructure-as-Code practices in place.

STAGE IV : Automation

Tying it all together <> Pipeline it!

A robust Infrastructure automation pipeline is a requirement to uplift the maturity of the Infrastructure. Infra-as-Code & Policy-as-Code would be as effective as the underlying CICD pipeline bringing them all together. This allows the infrastructure teams to follow the GitOps flow for any modifications on the existing Infrastructure, with trackability and visibility in place, and eliminate any manual work that would go unnoticed otherwise; Decisions are made based on prescriptive controls (PaC), and human error is eliminated from decision making.

Let’s see it all in action.

Now let’s see all 4 stages discussed above in a simple example below.

Security Controls

*Security Control prohibits using *:* admin privileges on IAM policies


*Terraform code is implementing loose security policy violating the security control in stage 1


*Policy-as-Code (Checkov) can detect the loose IAM rule and security control violation

Action in Pipeline

*Circleci Pipeline automates the Terraform Plan > Terraform Scan >> ACTION stages



CTO & Co-Founder of Syfer, CEO & Founder of MicroStack. SecDevOps and K8s evangelist.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Roshan Daneshvaran

CTO & Co-Founder of Syfer, CEO & Founder of MicroStack. SecDevOps and K8s evangelist.