The principle of least privileges is a good place to start: restrict user account access to only what is essential for the desired function. Avoid using default configurations, and ensure the encryption of data storage, the security of network configurations and segmentations, and the proper encryption and management of secrets. Data should always be encrypted—not only at rest but also in transit. If secrets are exposed, it may allow unwanted access to sensitive data. Similarly, properly segmented networks can help ensure that resources and related dependencies are securely configured, thus helping to contain any potential damage from unwanted actors getting access to the network and databases.
One major advantage of IaC is that it helps prevent infrastructure security issues from going into deployment. It enables organizations to enforce security in IaC configurations alongside other automated application security testing in developers’ IDE and the CI/CD pipeline.
Like testing software code for security flaws using SAST, SCA, etc., there are specific tools designed to test IaC configurations for potential security flaws. Organizations can also set specific policies to be enforced in IaC deployments, and block any changes that don’t follow those policies.