Home/Glossary/Infrastructure as Code (IaC)

Infrastructure as Code (IaC)

Managing and provisioning infrastructure through machine-readable configuration files rather than manual processes.

DevSecOpsAlso called: "iac", "infrastructure automation", "declarative infrastructure"

Infrastructure as Code treats infrastructure configuration like software code—versioned, tested, and deployed through automated pipelines.

Popular IaC tools

  • Terraform: Cloud-agnostic, declarative, state-based.
  • AWS CloudFormation: AWS-native, JSON/YAML templates.
  • Azure Bicep/ARM: Azure-native infrastructure templates.
  • Pulumi: General-purpose languages (Python, TypeScript, Go).
  • Ansible: Procedural, agentless configuration management.

Security benefits

  • Version control: Track all infrastructure changes in Git.
  • Peer review: Pull requests catch misconfigurations before deployment.
  • Consistency: Eliminate configuration drift between environments.
  • Auditability: Complete history of who changed what and when.
  • Rapid recovery: Recreate infrastructure from code after incidents.

Security risks to manage

  • Secrets in code: Never commit credentials; use secret managers.
  • State file exposure: Terraform state contains sensitive data.
  • Overly permissive defaults: Review resource configurations carefully.
  • Drift detection: Monitor for out-of-band changes.

Best practices

  1. Store state remotely with encryption (S3, Azure Blob, GCS).
  2. Use policy-as-code tools (OPA, Sentinel) for guardrails.
  3. Scan IaC files with tools like Checkov, tfsec, or Terrascan.
  4. Implement least-privilege for IaC pipeline service accounts.
  5. Use modules for consistent, reusable configurations.

Related Tools

Related Articles

View all articles
30 Cloud Security Tips for 2026: Essential Best Practices for Every Skill Level

30 Cloud Security Tips for 2026: Essential Best Practices for Every Skill Level

Master cloud security with 30 actionable tips covering AWS, Azure, and GCP.

Read article →
Terraform Security Best Practices: Secure Your Infrastructure as Code

Terraform Security Best Practices: Secure Your Infrastructure as Code

Learn essential Terraform security practices to prevent misconfigurations, protect secrets, and enforce compliance across your cloud infrastructure.

Read article →
Data Breach Response & Notification Workflow | GDPR & HIPAA

Data Breach Response & Notification Workflow | GDPR & HIPAA

Master the complete data breach response workflow from detection to recovery. This comprehensive guide covers GDPR 72-hour notification, HIPAA breach reporting, forensic investigation, regulatory compliance, and customer notification strategies with practical tools and legal frameworks.

Read article →
Cloud Migration & Validation Workflow | Complete Migration

Cloud Migration & Validation Workflow | Complete Migration

Execute flawless cloud migrations using proven 7R strategies, AWS Well-Architected Framework, and comprehensive validation at every stage—from discovery to production optimization.

Read article →

Explore More DevSecOps

View all terms

Container Image

A lightweight, standalone, executable package containing everything needed to run an application: code, runtime, libraries, and settings.

Read more →

Container Registry

A repository for storing, managing, and distributing container images, providing version control and access management.

Read more →

Dynamic Application Security Testing (DAST)

Testing a running application from the outside to discover security vulnerabilities by simulating attacks.

Read more →

Immutable Infrastructure

An infrastructure paradigm where servers are never modified after deployment; changes require replacing instances with new ones built from updated images.

Read more →

Policy as Code

Defining and enforcing security, compliance, and operational policies through code that can be versioned, tested, and automated.

Read more →

Runtime Security

Monitoring and protecting applications during execution to detect and prevent attacks in real-time.

Read more →
Back to glossary