Infrastructure-as-code for security: Terraform, AWS CloudFormation, Pulumi for policy deployment
Infrastructure-as-code for security is the practice of using declarative or imperative code to define, provision, and enforce security controls (e.g., network policies, IAM roles, encryption settings) as versioned, auditable, and repeatable artifacts.
This skill eliminates configuration drift and human error, ensuring security posture is consistently applied across all environments from a single source of truth. It directly enables secure, rapid, and compliant cloud deployments, reducing risk while accelerating business velocity.
1Careers
1Categories
9.1 Avg Demand
15%
Avg AI Risk
How to Learn Infrastructure-as-code for security: Terraform, AWS CloudFormation, Pulumi for policy deployment
1. Core IaC Concepts: Understand declarative vs. imperative, state management, and resource dependency. 2. Basic Security Constructs: Learn to define IAM policies, security groups, and basic encryption rules in code. 3. Version Control & PR Workflows: Practice committing IaC templates to Git and using pull requests for peer review of security changes.
1. Policy-as-Code Integration: Implement tools like Open Policy Agent (OPA) or AWS Config Rules to validate IaC templates against security baselines (e.g., CIS benchmarks) before deployment. 2. Multi-Environment Strategy: Manage separate state files and variable configurations for dev, staging, and prod, ensuring security controls are appropriately escalated. 3. Avoid common pitfalls: Never hardcode secrets; use a secrets manager. Avoid overly permissive `*` policies; apply least privilege.
1. Cross-Account & Multi-Cloud Governance: Design and deploy centralized security controls (e.g., AWS SCPs, Azure Policies) that enforce standards across an entire organization using IaC. 2. Shift-Left Security in CI/CD: Architect pipelines where IaC security scanning is a mandatory, automated gate. 3. Build Internal Developer Platforms: Create reusable, secure-by-default IaC modules (e.g., a 'secure S3 bucket' module) that abstract complexity for product teams.
Practice Projects
Beginner
Project
Deploy a Secure Static Website on AWS S3 with CloudFront
Scenario
You must host a public static website with TLS encryption, ensuring the S3 bucket is not publicly accessible and access is only via the CloudFront distribution.
How to Execute
1. Write a Terraform file defining an S3 bucket with public access blocked. 2. Define a CloudFront distribution that uses the S3 bucket as an origin, with an origin access identity (OAI). 3. Define an S3 bucket policy that only allows access from the CloudFront OAI. 4. Apply the configuration, then validate the site loads via HTTPS and direct S3 URL returns an error.
Intermediate
Project
Enforce Encryption-At-Rest for All RDS Instances Using AWS CloudFormation Guard
Scenario
Your company mandates that all new RDS database instances must have storage encryption enabled. You need to automate this enforcement for all developers.
How to Execute
1. Write an AWS CloudFormation Guard rule (e.g., `RDS_ENCRYPTION.rule`) that checks for the presence and value of the `StorageEncrypted` property set to `true`. 2. Integrate this rule into a CI/CD pipeline (e.g., GitHub Actions) that runs `cfn-guard validate` on any CloudFormation template PR. 3. Configure the pipeline to block the merge if the rule fails. 4. Deploy a test stack without encryption to verify the guard catches the violation.
Advanced
Project
Implement a Multi-Account Landing Zone with Centralized Security Logging
Scenario
You are the cloud architect for a company spinning up a new AWS organization with multiple accounts (dev, prod, security). All API activity must be logged centrally, and no member account can disable logging.
How to Execute
1. Use Pulumi (TypeScript/Python) to define the AWS Organization and organizational units (OUs). 2. Write a Pulumi component that creates a CloudTrail trail in the security account, configured to log from all accounts in the organization. 3. Define an AWS Service Control Policy (SCP) in code that explicitly denies the `cloudtrail:StopLogging` and `cloudtrail:DeleteTrail` actions for all accounts except the security root. 4. Deploy the entire stack, ensuring the SCP is attached to the root OU, and validate that an admin in a member account cannot stop logging.
Terraform (HCL) and CloudFormation (JSON/YAML) are the dominant declarative IaC tools. Pulumi (imperative, using general-purpose languages like Python/TS) is used for complex logic. CloudFormation Guard and OPA are policy-as-code tools for defining and enforcing security rules against IaC templates.
Shift-Left means integrating security checks early in the development cycle (e.g., in the PR). Policy-as-Code is the paradigm of writing security rules as executable code. Immutable Infrastructure means replacing servers/containers rather than patching them, which IaC enables. GitOps uses Git as the single source of truth for declarative infrastructure, triggering automated deployments.
Interview Questions
Answer Strategy
Demonstrate understanding of both technical specifics and security governance. The key is to distinguish between 'enabled by default' and 'explicitly required by policy'. A good answer focuses on auditability and preventing future drift. Sample: 'While SSE-S3 is indeed enabled by default for new buckets, our policy requires explicit declaration of encryption configuration in code. This ensures the intent is visible in the version control history, prevents any accidental misconfiguration during a future update, and simplifies compliance audits. I would work with the developer to add the explicit `server_side_encryption_configuration` block to their template.'
Answer Strategy
This tests operational experience with scaling IaC security. The interviewer wants to hear about strategy, not just tooling. Focus on phased rollout, testing, and communication. Sample: 'When we mandated TLS 1.2+ for all load balancers, I first defined the control as a CloudFormation Guard rule and an AWS Config rule for detection. We then created a phased rollout plan: I updated the shared, central IaC module for load balancers to enforce the policy, and used a CI/CD pipeline to automatically deploy the change to all non-production stacks first. We communicated via PRs and a runbook for teams with custom stacks. For legacy stacks, I wrote a remediation script using Pulumi to update them in-place. The key was using IaC as both the enforcement mechanism and the communication channel.'
Careers That Require Infrastructure-as-code for security: Terraform, AWS CloudFormation, Pulumi for policy deployment