Checking Infrastructure Compliance
Overview
Audit infrastructure configurations against compliance frameworks (CIS Benchmarks, SOC 2, HIPAA, PCI-DSS, GDPR) using policy-as-code tools like Open Policy Agent (OPA), Checkov, and tfsec. Generate compliance reports, identify violations, and produce remediation plans for Terraform, Kubernetes, and cloud provider configurations.
Prerequisites
- Policy-as-code tool installed:
checkov, tfsec, opa, or kube-bench
- Infrastructure-as-code files (Terraform, CloudFormation, Kubernetes manifests) in the project
- Cloud provider CLI authenticated with read access to resources
- Compliance framework requirements documented (CIS, SOC 2, HIPAA, PCI-DSS)
jq for parsing JSON policy outputs
Instructions
- Identify the applicable compliance framework(s) based on industry and data classification
- Scan Terraform files with
checkov -d . or tfsec . to detect misconfigurations
- Scan Kubernetes manifests for security issues: missing resource limits, privileged containers, missing network policies
- Validate IAM policies for least-privilege violations using cloud-native tools (
aws iam access-analyzer)
- Check encryption at rest and in transit: verify S3 bucket encryption, database TLS, and EBS volume encryption
- Audit logging configurations: confirm CloudTrail/Cloud Audit Logs are enabled and sent to immutable storage
- Generate a compliance report mapping each finding to the relevant control (e.g., CIS AWS 2.1.1)
- Produce remediation Terraform/YAML patches for each violation with severity ranking (Critical, High, Medium, Low)
- Set up CI/CD integration so compliance checks block merges on Critical/High violations
Output
- Compliance scan results in JSON/SARIF format for CI integration
- Markdown compliance report with control mappings and pass/fail status
- Remediation code patches (Terraform diffs, Kubernetes manifest updates)
- OPA/Rego policy files for custom organizational rules
- CI/CD pipeline step configuration for automated compliance gating
Error Handling
| Error |
Cause |
Solution |
checkov: no Terraform files found |
Scanner run from wrong directory |
Specify path explicitly with -d path/to/terraform/ |
tfsec: failed to parse HCL |
Syntax error in Terraform files |
Run terraform validate first to fix HCL syntax before compliance scan |
False positive on compliance check |
Rule too broad for the specific use case |
Add inline skip comments (#checkov:skip=CKVAWS18
Ready to use compliance-checker?
|
