BlogSecurity

IaC Security: Securing Terraform & CloudFormation Before Deployment

Infrastructure as Code transformed how teams provision cloud resources — but it also codified misconfigurations. A single misconfigured Terraform resource block can expose an S3 bucket to the internet or grant admin access to every IAM user. IaC security scanning catches these issues before they become production vulnerabilities.

16 min readUpdated May 2026

What Is IaC Security?

IaC security is the practice of scanning infrastructure definition files — Terraform HCL, CloudFormation YAML/JSON, Kubernetes manifests, Dockerfiles, and Helm charts — for security misconfigurations, compliance violations, and hardcoded secrets before those resources are provisioned.

Unlike CSPM, which scans running cloud resources, IaC security operates on the source code that defines infrastructure. This means misconfigurations are caught in the pull request, before terraform apply or aws cloudformation deploy executes. The fix is a code change, not a manual console reconfiguration.

Common IaC Misconfigurations

These are the misconfigurations that IaC scanners catch most frequently. Each one has been involved in real-world data breaches.

Public S3 Buckets

Critical

S3 buckets with public ACLs or missing Block Public Access settings. Responsible for numerous high-profile data exposures.

Open Security Groups

Critical

Security groups with ingress rules allowing 0.0.0.0/0 on sensitive ports (SSH, RDP, database ports).

Unencrypted Storage

High

EBS volumes, RDS instances, and S3 buckets without encryption at rest enabled. Violates most compliance frameworks.

Overprivileged IAM Policies

High

IAM policies using wildcards (Action: *, Resource: *) instead of least-privilege permissions.

Missing Logging

High

CloudTrail, VPC Flow Logs, or access logging disabled. Without logs, breaches go undetected.

Hardcoded Secrets

Critical

API keys, database passwords, or tokens embedded directly in Terraform variables or CloudFormation parameters.

Default VPC Usage

Medium

Deploying resources into the default VPC which has permissive networking rules and no custom security controls.

Missing Tags

Low

Resources without required tags for cost allocation, ownership tracking, and compliance classification.

Terraform Security Best Practices

Use remote state with encryption and locking (S3 + DynamoDB, GCS, Azure Blob)
Never store secrets in .tf files — use Vault, AWS Secrets Manager, or environment variables
Pin provider and module versions to prevent supply chain attacks
Enable encryption at rest for all storage resources (aws_s3_bucket_server_side_encryption_configuration)
Use least-privilege IAM policies — avoid Action: * and Resource: *
Enable VPC Flow Logs, CloudTrail, and access logging by default
Block public access on S3 buckets using aws_s3_bucket_public_access_block
Use security groups with specific CIDR blocks, never 0.0.0.0/0 on sensitive ports
Run Checkov or tfsec in CI to catch misconfigurations before terraform apply
Use Sentinel or OPA policies for organization-wide guardrails

IaC Scanning Tools Comparison

ToolTerraformCloudFormationK8s / HelmDockerfileCustom Rules
CheckovYesYesYesYesPython / YAML
tfsec (Trivy)YesYesYesYesRego / JSON
TerrascanYesYesYesYesRego
cfn-lintYesPython plugins
KICSYesYesYesYesRego
Snyk IaCYesYesYesYesPolicy engine
TigerGateYesYesYesYesYAML rules

Most teams start with Checkov or tfsec (now part of Trivy) for open-source IaC scanning, then layer in a platform like TigerGate for unified scanning across code, infrastructure, containers, and cloud posture with centralized policy management.

Scan Your Infrastructure as Code with TigerGate

TigerGate scans Terraform, CloudFormation, Kubernetes manifests, and Dockerfiles against 500+ security rules mapped to CIS Benchmarks, SOC 2, and PCI DSS.

Start Free TrialView IaC Scanning Features