Home/Glossary/Infrastructure as Code (IaC)

Infrastructure as Code (IaC)

Managing and provisioning infrastructure through machine-readable configuration files rather than manual processes.

DevSecOpsAlso called: "iac", "infrastructure automation", "declarative infrastructure"

Infrastructure as Code treats infrastructure configuration like software code—versioned, tested, and deployed through automated pipelines.

Popular IaC tools

  • Terraform: Cloud-agnostic, declarative, state-based.
  • AWS CloudFormation: AWS-native, JSON/YAML templates.
  • Azure Bicep/ARM: Azure-native infrastructure templates.
  • Pulumi: General-purpose languages (Python, TypeScript, Go).
  • Ansible: Procedural, agentless configuration management.

Security benefits

  • Version control: Track all infrastructure changes in Git.
  • Peer review: Pull requests catch misconfigurations before deployment.
  • Consistency: Eliminate configuration drift between environments.
  • Auditability: Complete history of who changed what and when.
  • Rapid recovery: Recreate infrastructure from code after incidents.

Security risks to manage

  • Secrets in code: Never commit credentials; use secret managers.
  • State file exposure: Terraform state contains sensitive data.
  • Overly permissive defaults: Review resource configurations carefully.
  • Drift detection: Monitor for out-of-band changes.

Best practices

  1. Store state remotely with encryption (S3, Azure Blob, GCS).
  2. Use policy-as-code tools (OPA, Sentinel) for guardrails.
  3. Scan IaC files with tools like Checkov, tfsec, or Terrascan.
  4. Implement least-privilege for IaC pipeline service accounts.
  5. Use modules for consistent, reusable configurations.

Related Tools

Related Articles

View all articles
Compliance Automation Tools Comparison: Vanta, Drata, Secureframe & More

Compliance Automation Tools Comparison: Vanta, Drata, Secureframe & More

Compare leading compliance automation platforms including Vanta, Drata, Secureframe, Sprinto, and Thoropass. Evaluate features, pricing, integrations, and framework support to choose the right GRC tool for your organization's SOC 2, ISO 27001, and HIPAA compliance needs.

Read article →
Continuous Compliance Monitoring Guide: Real-Time Security Controls & Evidence Collection

Continuous Compliance Monitoring Guide: Real-Time Security Controls & Evidence Collection

Master continuous compliance monitoring for SOC 2, ISO 27001, and HIPAA. Learn real-time control monitoring, automated evidence collection, alerting strategies, compliance dashboards, and CI/CD integration with practical implementation patterns.

Read article →
30 Cloud Security Tips for 2026: Essential Best Practices for Every Skill Level

30 Cloud Security Tips for 2026: Essential Best Practices for Every Skill Level

Master cloud security with 30 actionable tips covering AWS, Azure, and GCP.

Read article →
The Cloud Shared Responsibility Model Explained: AWS, Azure, and GCP

The Cloud Shared Responsibility Model Explained: AWS, Azure, and GCP

Understand who secures what in AWS, Azure, and GCP. The shared responsibility model defines security boundaries between cloud providers and customers.

Read article →

Explore More DevSecOps

View all terms

Container Image

A lightweight, standalone, executable package containing everything needed to run an application: code, runtime, libraries, and settings.

Read more →

Container Registry

A repository for storing, managing, and distributing container images, providing version control and access management.

Read more →

Dynamic Application Security Testing (DAST)

Testing a running application from the outside to discover security vulnerabilities by simulating attacks.

Read more →

Immutable Infrastructure

An infrastructure paradigm where servers are never modified after deployment; changes require replacing instances with new ones built from updated images.

Read more →

Policy as Code

Defining and enforcing security, compliance, and operational policies through code that can be versioned, tested, and automated.

Read more →

Runtime Security

Monitoring and protecting applications during execution to detect and prevent attacks in real-time.

Read more →
Back to glossary