IaC Security at Scale

Policy-as-Code Framework

package terraform

deny[msg] {
input.resource_type == "aws_s3_bucket"
not input.config.acl
msg = "S3 buckets must have ACL explicitly set"
}

deny[msg] {
input.resource_type == "kubernetes_deployment"
input.config.spec.template.spec.containers[_].securityContext.privileged == true
msg = "Privileged containers are forbidden"
}

Secrets Management

module "vault-integration" {
source = "hashicorp/vault/aws"

dynamic_secrets = {
database_creds = {
path = "database/creds/readonly"
ttl  = "1h"
}
}

terraform_provider_config = {
address = "https://vault.prod:8200"
token   = var.vault_token
}
}