Chapter 3. Securing Your Infrastructure

As we saw in Chapter 2, cloud infrastructure can be spun up and down considerably faster than traditional datacenter infrastructure. Cloud providers use declarative languages to help end users configure the infrastructure they spin up. For example, AWS uses CloudFormation templates.

In this book, for the sake of simplicity, we’ll be using CloudFormation code. However, you should know that there are other IaC tools—such as Cloud Development Kit (CDK) and Hashicorp’s Terraform—that use different writing and deployment formats, but achieve the same goal of creating infrastructure through code.

What Makes Infrastructure Secure?

What does it mean to “secure” your infrastructure? IaC is code, and just like you secure your application’s code, you need to plan to secure your IaC. The top three priorities involved in securing IaC are, in order of importance:

  1. Preventing unwanted access to your code

  2. Detecting misconfigurations in the infrastructure to be deployed

  3. Preventing misconfigured code from being deployed

In this chapter, we’ll explore all three priorities in detail.


We are assuming that you have an intermediate understanding of how to use Git-based version control and will not be covering Git troubleshooting or branching strategy. For more on those topics, we recommend reading Head First Git by Raju Gandhi (O’Reilly) or the Git documentation.

We also delve into topics like identity and access management (IAM). We recommend reading the ...

Get Security as Code now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.