IaC & Misconfiguration

Infrastructure-as-Code security scanning for cloud and container configurations.

IaC & Misconfiguration scanning analyzes your infrastructure definitions and configuration files to detect security weaknesses before deployment. PrismSec scans Terraform, Kubernetes, Dockerfiles, and cloud configurations for overly permissive access, missing encryption, exposed services, and compliance violations.

Misconfigurations are a leading cause of cloud security breaches — PrismSec catches them at code-review time.

What IaC Scanning Detects

PrismSec analyzes infrastructure definitions for security and compliance issues:

Cloud Infrastructure (Terraform, CloudFormation, Pulumi)

| Category | Examples | |----------|----------| | Storage | Public S3 buckets, unencrypted RDS databases, world-readable storage containers | | IAM & Permissions | Overly permissive IAM roles, wildcard (*) permissions, missing MFA requirements | | Networking | Security groups with 0.0.0.0/0 ingress, missing VPC flow logs, exposed admin ports | | Encryption | Unencrypted data at rest, missing SSL/TLS, weak encryption algorithms | | Logging & Monitoring | Missing CloudTrail, disabled logging, no alarm configurations |

Kubernetes Manifests (YAML)

| Category | Examples | |----------|----------| | Workload Security | Containers running as root, privileged mode enabled, no resource limits | | Network Policies | Missing NetworkPolicies, overly permissive ingress rules | | Secrets Management | Secrets stored in plaintext ConfigMaps, hardcoded credentials | | Pod Security | Missing security contexts, hostPath volumes, hostNetwork enabled |

Docker

| Category | Examples | |----------|----------| | Base Images | Using latest tag, outdated base images with known CVEs | | Secrets | Hardcoded credentials in ENV, secrets in Dockerfile history | | Privileges | Running as root user, unnecessary capabilities granted | | Exposure | Exposed ports without justification, weak TLS configuration |

Configuration Files

| Type | Examples | |------|----------| | NGINX/Apache | Weak SSL/TLS settings, missing security headers, directory listing enabled | | CI/CD | Hardcoded secrets in GitHub Actions/GitLab CI, overly permissive permissions | | Application Config | Debug mode enabled in production, weak CORS policies, missing rate limiting |

Example Findings

Public S3 Bucket (Terraform)

Vulnerable configuration:

resource "aws_s3_bucket" "data" {
  bucket = "my-app-data"
  acl    = "public-read"
}

PrismSec finding:

🔴 Critical: Public S3 Bucket

File: infrastructure/s3.tf
Line: 3

Description:
This S3 bucket is configured with public read access (`acl = "public-read"`).
Anyone on the internet can list and download files from this bucket, potentially
exposing sensitive data.

Risk:
- Data breach
- Unauthorized access to application data
- Compliance violations (GDPR, HIPAA, PCI-DSS)

Recommendation:
Remove public access and use IAM policies for controlled access:

resource "aws_s3_bucket" "data" {
  bucket = "my-app-data"
  acl    = "private"
}

resource "aws_s3_bucket_public_access_block" "data" {
  bucket = aws_s3_bucket.data.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Overly Permissive IAM Role (Terraform)

Vulnerable configuration:

resource "aws_iam_role_policy" "lambda_policy" {
  role = aws_iam_role.lambda.id
 
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect   = "Allow"
      Action   = "*"
      Resource = "*"
    }]
  })
}

PrismSec finding:

🔴 Critical: Overly Permissive IAM Policy

File: infrastructure/iam.tf
Line: 6-9

Description:
This IAM policy grants wildcard permissions (`Action = "*"`, `Resource = "*"`),
allowing the Lambda function to perform any action on any AWS resource.
This violates the principle of least privilege.

Risk:
- Privilege escalation
- Accidental or malicious resource modification/deletion
- Compliance violations

Recommendation:
Restrict permissions to only what the Lambda function needs:

policy = jsonencode({
  Version = "2012-10-17"
  Statement = [{
    Effect   = "Allow"
    Action   = [
      "s3:GetObject",
      "s3:PutObject"
    ]
    Resource = "arn:aws:s3:::my-app-bucket/*"
  }]
})

Container Running as Root (Kubernetes)

Vulnerable configuration:

apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  containers:
  - name: web
    image: nginx:latest

PrismSec finding:

🟠 High: Container Running as Root

File: k8s/deployment.yml
Line: 6-8

Description:
This container does not specify a security context, so it runs as root by default.
If the container is compromised, an attacker gains root-level access, making it
easier to escape the container or pivot to other resources.

Risk:
- Container escape
- Lateral movement within the cluster
- Privilege escalation

Recommendation:
Add a security context to run as a non-root user:

spec:
  containers:
  - name: web
    image: nginx:latest
    securityContext:
      runAsNonRoot: true
      runAsUser: 1000
      capabilities:
        drop:
          - ALL

Unencrypted RDS Database (Terraform)

Vulnerable configuration:

resource "aws_db_instance" "main" {
  identifier     = "myapp-db"
  engine         = "postgres"
  instance_class = "db.t3.micro"
  username       = "admin"
  password       = "password123"
}

PrismSec finding:

🔴 Critical: Unencrypted RDS Database

File: infrastructure/rds.tf
Line: 1-7

Description:
This RDS instance does not enable encryption at rest (`storage_encrypted = true`).
Database backups, snapshots, and data on disk are stored in plaintext.

Additionally, a hardcoded password is used (see separate finding).

Risk:
- Data breach if storage is accessed
- Compliance violations (GDPR, HIPAA, PCI-DSS)

Recommendation:
Enable encryption at rest:

resource "aws_db_instance" "main" {
  identifier        = "myapp-db"
  engine            = "postgres"
  instance_class    = "db.t3.micro"
  username          = "admin"
  password          = var.db_password
  storage_encrypted = true
  kms_key_id        = aws_kms_key.rds.arn
}

Exposed Admin Port (Terraform)

Vulnerable configuration:

resource "aws_security_group" "web" {
  name = "web-sg"
 
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

PrismSec finding:

🟠 High: SSH Port Exposed to Internet

File: infrastructure/security_groups.tf
Line: 5-10

Description:
This security group allows SSH access (port 22) from anywhere on the internet
(`0.0.0.0/0`). This is a common attack vector for brute-force attacks and exploits.

Risk:
- Brute-force SSH login attempts
- Exploitation of SSH vulnerabilities
- Unauthorized server access

Recommendation:
Restrict SSH access to known IP ranges or use a bastion host:

ingress {
  from_port   = 22
  to_port     = 22
  protocol    = "tcp"
  cidr_blocks = ["203.0.113.0/24"]  # Replace with your office IP
}

Auto-Fix Support

Many IaC misconfigurations can be fixed automatically:

Example auto-fixes:

Public S3 bucket → Add private ACL and public access block
Missing encryption → Enable encryption settings
Container running as root → Add security context with non-root user
Overly permissive security group → Replace 0.0.0.0/0 with specific CIDR ranges (requires user input)

Auto-fix PRs for IaC include explanations of the security rationale, making it easy for infrastructure teams to review and approve.

Compliance Baselines

PrismSec maps findings to compliance frameworks:

| Framework | Coverage | |-----------|----------| | CIS Benchmarks | AWS, Azure, GCP, Kubernetes | | NIST 800-53 | Access control, encryption, logging | | PCI-DSS | Data encryption, network segmentation, logging | | HIPAA | Encryption, access control, audit trails | | SOC 2 | Logging, monitoring, access control |

Findings include references to specific compliance controls (e.g., "CIS AWS 2.1.1 — Ensure S3 bucket encryption is enabled").

Best Practices

Encrypt Everything

Data at rest — Enable encryption for databases, storage, and backups
Data in transit — Use TLS/SSL for all network communication
Key management — Use cloud-native key management services (KMS)

Principle of Least Privilege

IAM policies — Grant only the permissions required for each role
Network policies — Restrict ingress/egress to necessary ports and IPs
Container security — Run as non-root, drop unnecessary capabilities

Enable Logging and Monitoring

CloudTrail/Activity Logs — Track all API calls and resource changes
VPC Flow Logs — Monitor network traffic
Application logs — Centralize and monitor application-level events

Use Infrastructure as Code

Version control — Track all infrastructure changes in Git
Code review — Require PR approval for infrastructure changes
Automated testing — Scan IaC in CI/CD before deployment

Supported Formats

PrismSec scans the following IaC and configuration formats:

| Type | Formats | |------|---------| | Terraform | .tf, .tfvars | | CloudFormation | .yaml, .yml, .json | | Kubernetes | .yaml, .yml (Deployments, Pods, Services, etc.) | | Docker | Dockerfile, docker-compose.yml | | NGINX | nginx.conf, site configs | | CI/CD | GitHub Actions, GitLab CI, CircleCI, Jenkins |

Next Steps

Learn about SAST: SAST
Understand secret detection: Secret Detection
Configure scan behavior: Configuring Scans