IaC security audit: methodology, tools, and checklist
5+ years AWS engineering · Open-source contributor
Last reviewed: 2026-05-27
An Infrastructure-as-Code (IaC) security audit is a structured review of declarative infrastructure definitions — typically Terraform, CloudFormation, or Kubernetes manifests — against established security baselines such as CIS benchmarks, NIST CSF, and the AWS Well-Architected Security pillar. This guide explains the methodology, the open-source and commercial tools that help, and an inline CIS AWS Foundations Benchmark v3.0.0-mapped checklist.
What is an IaC security audit?
An IaC security audit evaluates infrastructure code before it is deployed — catching misconfigurations, over-permissioned resources, missing controls, and architectural risk at the code level, where fixes are cheapest.
How it relates to CSPM and CNAPP
Cloud Security Posture Management (CSPM) tools scan your live AWS environment. IaC security audit tools scan your code before deployment. They are complementary: IaC audits catch issues in development; CSPM catches drift in production. Cloud Native Application Protection Platforms (CNAPP) often combine both layers.
How it relates to SAST and software composition analysis
Static Application Security Testing (SAST) analyses application code for vulnerabilities. IaC security audit applies similar static analysis to infrastructure code. Both are shift-left approaches — catching issues before production. Software Composition Analysis (SCA) checks for vulnerable dependencies; IaC audit checks for misconfigured infrastructure.
Why run an IaC security audit?
Misconfigurations in IaC are the primary source of cloud security incidents. The Verizon 2025 Data Breach Investigations Report identifies misconfiguration as a leading cause of cloud breaches. An IaC audit addresses this before the misconfiguration is ever deployed.
For EU organisations, NIS2 Article 21(2)(e) and (h) address configuration management and technical security measures. DORA Article 9 addresses ICT change management. IaC security audits produce evidence relevant to both — though using ArchGuard alone does not satisfy either regulation, and we make no compliance certification claim.
The IaC security audit methodology
Inventory and scope
Identify all IaC files in scope — Terraform root modules, called modules, shared modules. Define the environment under review (production, staging). Document the services, data sensitivity, and compliance requirements.
Run rule-based scanners in CI
Run Checkov, tfsec (via Trivy), and/or KICS against the scoped files. These tools apply deterministic rules and produce findings in JSON, SARIF, or JUnit XML for CI integration. Resolve Critical and High findings before proceeding to the next step.
Run an architecture-level review
Rule-based scanners cannot evaluate blast radius, cross-resource relationships, absent controls, or workload context. An architectural review evaluates the workload as a system — identifying patterns and gaps that rules cannot detect.
Map findings to a baseline
Map each finding to CIS AWS Foundations Benchmark v3.0.0, NIST CSF 2.0, or AWS WAFR controls. This makes the report meaningful to compliance teams, procurement, and auditors who use these frameworks as reference.
Prioritize and remediate
Assign severity using workload context (environment, SLA, data sensitivity, blast radius). Critical and High: fix before next deploy. Medium: backlog with target sprint. Low: acknowledge and track.
Document and re-audit
A well-documented IaC security audit produces a report that can be shared with auditors, procurement, and investors. Schedule re-audit: annually minimum, quarterly for high-risk workloads, after significant infrastructure changes.
Tools for IaC security audit
| Tool | Type | Coverage | Best for |
|---|---|---|---|
| Checkov | Open-source | Security rules, 1,000+ checks | CI scanner, free, broad IaC format support |
| tfsec / Trivy | Open-source | Terraform security rules | tfsec merged into Trivy; multi-format scanner |
| KICS | Open-source | Terraform, CFN, K8s, Docker | Multi-IaC-platform, broad format coverage |
| Prowler | Open-source | AWS CSPM + IaC | Runtime + IaC hybrid, CIS/NIST/GDPR benchmarks |
| ScoutSuite | Open-source | AWS CSPM | Multi-cloud CSPM, runtime-focused |
| ArchGuard | Commercial SaaS | 4 WAFR pillars | Architecture-level review, branded PDF, consultant-ready |
Open-source tools listed before commercial.
IaC security audit checklist (CIS AWS Foundations Benchmark v3.0.0)
Each item below corresponds to a CIS AWS Foundations Benchmark v3.0.0 control and the Terraform resource that implements it. This is an inline preview — use the full Terraform architecture review checklist for the complete pillar-mapped version.
| CIS Control | Check |
|---|---|
| CIS 1.5 | Root account MFA enforced |
| CIS 1.9 | Password policy minimum length ≥ 14 |
| CIS 1.13 | No access keys older than 90 days |
| CIS 1.16 | IAM policies attached to groups or roles, not users |
| CIS 2.1.1 | S3 buckets have server-side encryption |
| CIS 2.1.2 | S3 bucket policy requires TLS (aws:SecureTransport) |
| CIS 2.1.5 | S3 public access block enabled |
| CIS 2.2.1 | EBS volumes encrypted at rest |
| CIS 2.3.1 | RDS storage encrypted |
| CIS 3.1 | CloudTrail enabled in all regions |
| CIS 3.2 | CloudTrail log file validation enabled |
| CIS 3.4 | CloudTrail logs to CloudWatch Logs |
| CIS 3.5 | KMS keys have rotation enabled |
| CIS 3.7 | VPC Flow Logs enabled |
| CIS 3.8 | GuardDuty enabled in all regions |
| CIS 5.2 | No security groups allow 0.0.0.0/0 ingress on port 22 |
| CIS 5.3 | No security groups allow 0.0.0.0/0 ingress on port 3389 |
| CIS 5.6 | EC2 instances use IMDSv2 |
| CIS 4.1 | No security groups with unrestricted inbound access |
| CIS 4.3 | Ensure the default security group restricts all traffic |
What goes in the audit report
A credible IaC security audit report contains: an executive summary with overall risk posture and top findings; a findings section with each finding mapped to a CIS or WAFR control, assigned a severity, with the current state in Terraform and remediation HCL; and an appendix listing all files reviewed, tool versions, and review date. For a worked example, see the ArchGuard sample report.
Frequently asked questions
What's the difference between an IaC security audit and a CSPM scan?↓
A Cloud Security Posture Management (CSPM) scan checks your live AWS environment against security benchmarks. An IaC security audit checks your Terraform or CloudFormation code before deployment. IaC audits catch misconfigurations before they reach production; CSPM scans catch drift in what is already deployed. Both are needed.
Do I need a consultant to run an IaC security audit?↓
No. Open-source tools like Checkov, tfsec (via Trivy), and KICS can run a rule-based IaC security audit with no external help. For an architecture-level audit producing a stakeholder-ready PDF, ArchGuard or a consultant engagement is appropriate.
What baseline should I audit against — CIS, NIST, or AWS WAFR?↓
Use all three in different contexts. CIS AWS Foundations Benchmark v3.0.0 is the most widely cited for configuration-level checks. NIST CSF 2.0 maps to organisational security functions. The AWS Well-Architected Security pillar covers architectural-level concerns. For most Terraform teams, CIS + AWS WAFR is the practical combination.
How often should an IaC security audit run?↓
Rule-based scanning (Checkov, Trivy): every commit, in CI, blocking on Critical. Architecture-level audits: before each production release, and annually at minimum for stable workloads. Quarterly for payment, healthcare, or multi-tenant SaaS workloads.
Can I run an IaC security audit without giving up cloud credentials?↓
Yes. Static IaC analysis tools — Checkov, tfsec, Trivy, KICS, ArchGuard — analyse the code files only. They do not require AWS credentials, IAM roles, or any cloud account access.
What does an IaC security audit report cost?↓
Open-source tools (Checkov, tfsec, Trivy, KICS): free. ArchGuard: $49–$399/month or $50–$66 per review with Credit Packs. Consulting engagement: $5K–$25K depending on scope and provider.
For further reading, see the AWS Well-Architected Security pillar guide for Terraform-aware implementation examples, or the ArchGuard sample report for an example of a structured IaC security audit deliverable.