For financial sector security teams operating large-scale cloud environments, efficiently managing security vulnerabilities within a rapidly changing digital landscape is consistently recognized as a critical challenge. A key objective is to establish security strategies that satisfy complex domestic and international regulatory compliance requirements, such as ISMS-P, the Electronic Financial Supervision Regulations, and ISO 27001, without impeding the development team's service release velocity. Development teams are already actively utilizing Infrastructure as Code (IaC) to provision diverse cloud infrastructures, including AWS and Azure, and are consequently exploring methods to embed security from the infrastructure build phase.
Against this backdrop, the team aimed to proactively identify and remediate security vulnerabilities during the development phase, thereby minimizing the risk of security incidents that could occur after actual service deployment. Ultimately, the objective is to ensure regulatory compliance and adherence to internal security standards through automated means, advancing towards strengthening the security governance of cloud environments. In an era where infrastructure is defined as code, verifying the security of the code itself represents the initial and most crucial step in cloud security.
Challenges for Strengthening Cloud Infrastructure Security
The most significant technical and operational challenge faced by the team was the security review of IaC code. Previously, reliance was placed on manual review of infrastructure code. This approach not only consumed considerable time but also had the limitation of a high probability of errors due to human oversight. Specifically, it was exceedingly difficult to proactively discover security vulnerabilities or inadequate configuration errors hidden within infrastructure code defined by tools such as Terraform and AWS CloudFormation.
Furthermore, applying and managing consistent security policies in a multi-cloud environment utilizing both AWS and Azure simultaneously proved complex. Difficulties were encountered in establishing security standards tailored to the characteristics of each cloud platform and its respective IaC framework, and then integrating these into the development pipeline. Existing SAST (Static Application Security Testing) tools primarily focused on application code vulnerability analysis, rendering them ineffective in detecting security issues within infrastructure code. Moreover, issues were frequently discovered retrospectively via CSPM (Cloud Security Posture Management) tools only after infrastructure deployment to the cloud environment, which entailed significantly higher costs and effort to rectify configuration errors or vulnerabilities in already deployed infrastructure.
In this situation, the team faced the dual challenge of enhancing security without hindering development speed. The core requirements were as follows:
- Security vulnerabilities must be automatically scanned during the IaC code authoring phase, and immediate feedback provided to developers.
- Extensive support for various IaC frameworks, including Terraform, AWS CloudFormation, and Kubernetes YAML, is required.
- Configuration errors related to internal security policy violations and regulatory compliance (e.g., restricting public access to S3 buckets, preventing unnecessary port openings in EC2 security groups) must be accurately detected.
- The security verification process must be automated through close integration with the CI/CD pipeline, seamlessly embedding it into the development workflow.
Selection Process for Optimal IaC Security Scan Technology
To address these challenges, a process of reviewing various IaC security scan tools was undertaken. Key candidates included Checkov, Trivy, OPA/Conftest, Kics, and Terrascan. Each of these tools possesses distinct strengths and characteristics, necessitating the establishment of several criteria for comparative analysis to identify the solution most suitable for the environment.
The most critical selection criteria considered were as follows:
- IaC Framework Support Coverage: Verification was performed to ensure support for all IaC frameworks in use, such as Terraform, AWS CloudFormation, Kubernetes YAML, and Azure Resource Manager.
- Accuracy and Richness of Detection Rules: Evaluation assessed how accurately and diversely security issues were detected based on CIS Benchmarks, OWASP Top 10, and specific cloud vendor security standards (e.g., AWS Security Best Practices).
- Ease of CI/CD Pipeline Integration: The ease with which the tools could be integrated with the CI/CD tools in use, such as GitHub Actions, Jenkins, and GitLab CI, was considered paramount.
- Open Source Status and Community Support: For open-source tools, active community support and continuous updates were important considerations.
- Readability and Utility of Results Reports: It was verified how easily understandable the scan results were for both developers and the security team, and if they were provided in a format that could be effectively utilized for improvement activities.
- Flexibility in Policy Definition and Custom Rule Addition: The ease with which custom policies could be added and managed to reflect the organization's specific security requirements or compliance items was crucial.
Following an in-depth Proof of Concept (PoC), Checkov, which offers extensive support for various IaC frameworks and rich policy rules, and Trivy, which excels not only in container image scanning but also in detecting IaC misconfigurations, were selected as key candidates. Given the team's multi-cloud environment utilizing both AWS and Azure simultaneously, flexibility to cover IaC for both cloud environments was paramount. Furthermore, Conftest, which allows leveraging OPA (Open Policy Agent)'s Rego language to define and automatically verify organization-specific security policies, was also reviewed. This led to the decision to adopt a hybrid approach, combining general-purpose tools with tools specialized for specific functionalities.
Through this decision-making process, the team is progressing towards implementing a Shift-Left security strategy that embeds security from the development phase, by adopting flexible IaC security scan solutions capable of covering diverse cloud environments without compromising development speed.
IaC Security Scan Tool Integration Implementation Process
The process of integrating the selected IaC security scan tools into the actual development and deployment pipeline proceeded in multiple stages. The core objective was to build a system that automatically verifies the security of IaC code without disrupting the development team's workflow.
1. IaC Security Scan Integration Architecture Design
An architecture was designed to explicitly add an IaC security scan stage within the CI/CD pipeline. This approach ensures that scanning is automatically triggered when a developer commits code to a Git repository or creates a Pull Request. Specifically, the system was configured to perform scans immediately after the terraform plan command is executed, or after IaC files (e.g., Terraform, CloudFormation, Kubernetes YAML) are created or modified. Scan results are provided to developers as immediate feedback to facilitate rapid vulnerability remediation. For the security team, results are integrated with Seekurity SIEM to enable centralized monitoring and analysis of security events. Furthermore, the goal was to leverage the IaC scan capabilities of FRIIM CNAPP to maintain a unified security perspective from the IaC phase through to post-deployment cloud assets.
2. Implementing Terraform Code Scans using Checkov
Checkov was actively utilized for analyzing security vulnerabilities in Terraform code. Checkov offers thousands of built-in policies for various cloud resources and has the advantage of supporting major IaC frameworks such as Terraform, CloudFormation, and Kubernetes. The following is an example of applying a Checkov scan to Terraform code using GitHub Actions.
name: IaC Security Scan with Checkov
on: [push, pull_request]
jobs:
checkov_scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Checkov
run: pip install checkov
- name: Run Checkov Scan
run: |
checkov -d . --output cli --output json --output-file-path checkov_results.json
continue-on-error: true
- name: Upload Checkov results
uses: actions/upload-artifact@v3
with:
name: checkov-results
path: checkov_results.json
This GitHub Actions workflow executes Checkov whenever code is pushed or a Pull Request is created, scanning all IaC files in the current directory. The scan results are output to the CLI and also saved as a JSON file, which can be utilized for future analysis or integration with other systems. If exception handling is required for specific policy violations, certain policy IDs can be excluded using Checkov options such as --skip-check CKV_AWS_1.
3. Scanning Kubernetes YAML and Configuration Files using Trivy
Trivy is well-known as a container image vulnerability scanner, but it also provides very powerful capabilities for detecting misconfigurations in IaC files. It supports various IaC-related file formats, including Kubernetes Manifests, Dockerfiles, and Terraform files, enabling effective detection of security issues arising from configuration errors. The following is an example of scanning Kubernetes YAML files with Trivy.
sudo apt-get update && sudo apt-get install -y wget apt-transport-https gnupg
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb stable main" | sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install -y trivy
trivy config deployment.yaml
trivy config main.tf
After execution, Trivy categorizes and displays detected configuration errors by Severity (CRITICAL, HIGH, MEDIUM, etc.), assisting developers in prioritizing problem resolution. Integrating these capabilities into the CI/CD pipeline enables the proactive elimination of potential security risks before deployment to Kubernetes clusters.
4. Applying Custom Security Policies with OPA Conftest
OPA Conftest was introduced to validate organization-specific security requirements and compliance items beyond standardized policies. OPA Conftest facilitates the definition and verification of policies for configuration files such as YAML and JSON using Rego, OPA's policy language. For instance, a policy can be defined in Rego to enforce that public access is not permitted for any AWS S3 bucket.
package main
denied[msg] {
input.resource_type == "aws_s3_bucket"
input.attributes.acl == "public-read"
msg := "S3 bucket must not have public-read ACL set."
}
denied[msg] {
input.resource_type == "aws_s3_bucket"
input.attributes.block_public_acls == false
msg := "S3 bucket must block public ACLs."
}
The Rego policy above detects if an S3 bucket has a public-read ACL set or if Public ACL blocking (block_public_acls) is disabled, returning a denied message in such cases. When this policy is used with Conftest to validate IaC files, the process is as follows:
conftest test my-s3-bucket.tf --policy ./policy.rego
By integrating custom policies into the IaC pipeline in this manner, organization-specific security requirements, extending beyond standardized security guidelines, can be automatically verified and enforced. This plays a highly significant role in terms of regulatory compliance.
Achievements and Results: Quantitative and Qualitative Effects of IaC Security Scans
As a result of adopting and integrating IaC security scan tools into the CI/CD pipeline, the team achieved significant accomplishments in several aspects. Notably, the efficiency of the security vulnerability discovery and remediation process was substantially improved, and a noticeable strengthening of the overall cloud security posture was observed.
Quantitative Achievements
- 70% Increase in Proactive Security Vulnerability Detection: The rate of critical security vulnerabilities and configuration errors discovered through Checkov, Trivy, and Conftest prior to IaC code deployment increased by approximately 70% compared to previous methods. This signifies that the majority of security issues can now be resolved before actual deployment to production environments.
- 50% Reduction in Critical Security Events Post-Deployment: Following the adoption of IaC scanning, critical security events (e.g., incorrect security group configurations, public S3 buckets) detected by FRIIM CSPM after infrastructure deployment to the cloud environment decreased by approximately 50%. This metric indicates the successful application of the Shift-Left security strategy.
- 30% Reduction in Security Review Time: The time spent by the security team on manually reviewing IaC code was reduced by approximately 30% through automated scanning. This allowed the security team to focus on more strategic and advanced security tasks.
Qualitative Achievements
- Enhanced Security Awareness within Development Teams: IaC scan tools integrated into the CI/CD pipeline provided immediate feedback to developers, significantly contributing to the formation of a culture where developers proactively identify and resolve security vulnerabilities. This naturally led to the establishment of a Shift-Left security culture.
- Increased Regulatory Compliance and Internal Standard Adherence: Through custom policies (OPA Rego), regulatory requirements such as ISMS-P and ISO 27001, along with internal organizational security standards, could be enforced from the IaC stage, leading to improved overall compliance satisfaction.
- Increased Operational Efficiency for Security Teams: With the automation of repetitive and manual IaC code review tasks, the security team could concentrate its efforts on core responsibilities such as threat intelligence analysis, security architecture design, and advanced threat detection and response leveraging Seekurity SIEM/SOAR.
Before and After Comparison
The changes before and after the adoption of IaC security scan tools can be summarized in the following table:
| Category | Before IaC Security Scan Adoption | After IaC Security Scan Adoption |
|---|
| Vulnerability Detection Point | Primarily after cloud deployment (CSPM) | IaC code authoring and CI/CD phase (Shift-Left) |
| Security Review Method | Primarily manual review by security team | Primarily automated tool scanning, complemented by security team review |
| Cost of Vulnerability Remediation | Remediation after deployment → high cost, high complexity | Remediation during development phase → low cost, low complexity |
| Impact on Development Speed | Potential delays due to manual review | Minimized delays through in-pipeline automation |
| Regulatory Compliance Management | Primarily post-facto review and manual actions | Proactive policy enforcement and automated verification |
| Development Team Security Awareness | Low, security perceived as 'security team's job' | High, spread of 'security for everyone' culture |
These changes served as a significant turning point in shifting the paradigm of cloud infrastructure security management, greatly contributing to the establishment of a more robust and efficient security framework.
Lessons Learned and Reflection: The Gap Between Expectation and Reality
Several lessons were learned during the process of adopting IaC security scan tools. Initially, resistance from the development team to a new security verification stage was anticipated. However, with clear explanations of adoption objectives, coupled with rapid feedback of scan results to developers and provision of remediation guides, the perception spread that the tools contributed to enhancing code quality rather than disrupting development workflows. This resulted in the positive collateral effect of fostering improved collaboration between the development and security teams.
If this project were to be undertaken again, a greater focus would be placed on the advanced definition and version control of policies. Policy code, such as Rego, requires version control just like general code, and a system for pre-analyzing the impact of policy changes is necessary. Furthermore, beyond simply viewing scan results in text or JSON format, efforts would be directed towards building visualized dashboards to grasp the security status at a glance, and integrating these more closely with Seekurity SIEM/SOAR to strengthen automated threat detection and response processes. Notably, leveraging KYRA AI Sandbox to analyze potential threat patterns in IaC code and using this as a basis to generate new security policies or refine existing ones would also be worth exploring. AI-based analysis is expected to significantly assist in identifying complex threat patterns that might be overlooked by humans.
An unexpected collateral benefit was the overall improvement in infrastructure code quality. In the process of improving code structure and modularizing to adhere to security policies, development teams began writing more robust and reusable IaC code. This ultimately led to increased infrastructure stability and manageability. The adoption of IaC security scanning can be regarded as a significant turning point that positively impacted not only security reinforcement but also the broader DevOps culture and cloud operations.
IaC Security Scan Application Guide for Cloud Environments
Based on our experience, practical application tips and a phased roadmap are presented for organizations seeking to adopt IaC security scan tools in similar cloud environments.
- Start Small and Expand Gradually: Rather than applying IaC scans to all IaC code at once, it is more effective to introduce them starting with high-priority services or newly developed projects. Initially, it is recommended to operate in warning mode to minimize impact on the development workflow, gradually transitioning to build failure mode upon policy violations.
- Continuous Update and Sharing of Security Policies: As cloud environments and threats constantly evolve, security policies must be continuously updated accordingly. Updated policies should be transparently shared with development teams to ensure everyone understands and applies the same security standards.
- Integration with Existing Cloud Security Systems: It is crucial to integrate IaC scan results with existing cloud security management systems, such as FRIIM CNAPP/CSPM, to maintain a unified cloud security posture. Vulnerability information detected at the IaC stage must be linked to the security status of actually deployed cloud assets to ensure comprehensive visibility. Furthermore, integrating with threat detection and response systems like Seekurity SIEM/SOAR is effective for establishing a rapid response framework for security events.
Essential Prerequisites
- Utilization of IaC Code Version Control System: All IaC code must be stored and version-controlled in a version control system such as Git.
- Establishment of CI/CD Pipeline: A functional CI/CD pipeline is essential for automated IaC scanning.
- Collaboration Commitment from Security and Development Teams: IaC security cannot succeed without close collaboration between the development and security teams. Establishing effective communication channels between both teams from the outset is crucial.
Phased Adoption Roadmap
- Phase 1 (Foundation Laying): Introduce basic scan tools (Checkov, Trivy) for core IaC frameworks (e.g., Terraform) and pilot their application on small-scale projects.
- Phase 2 (CI/CD Integration): Integrate IaC scan tools into the CI/CD pipeline and build an automated workflow to provide scan results feedback to developers. Operate in warning mode initially.
- Phase 3 (Policy Expansion and Visibility Acquisition): Extend organization-specific custom security policies using OPA Conftest, and establish dashboards to visualize scan results and policy violation statuses. Integrate with Seekurity SIEM/SOAR to lay the foundation for centralized monitoring and automated response.
- Phase 4 (Integrated Security and Optimization): Complete an integrated cloud security posture management system covering from the IaC stage to runtime cloud assets through integration with FRIIM CNAPP. Continuously enhance the level of security automation through ongoing policy optimization and tool advancement.
IaC security scanning is an essential strategy for strengthening security and effectively achieving regulatory compliance in cloud environments. Through this approach, organizations can progress towards building a more secure and efficient cloud operating environment.