cfec11bb46
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
stop-slop, taste-skill, terrashark had embedded .git dirs causing Woodpecker clone to fail on submodule update.
1.7 KiB
1.7 KiB
Security and Governance
Use this guide for security controls in IaC delivery. For framework mappings and evidence gates, use compliance-gates.md.
Identity controls
- least privilege for CI identities
- separate
planandapplyroles where possible - short-lived credentials via workload identity federation
- deny direct human write access to production backends
Secret controls
- prohibit plaintext secret defaults in code
- source sensitive values from managed secret stores
- mark secret variables and outputs as sensitive
- sanitize logs/artifacts and restrict access
Supply-chain controls
- pin provider/module versions with bounded constraints
- commit lockfile and review lockfile diffs
- verify action/container versions in CI workflows
Policy layers
Use layered controls, not single-tool reliance:
- static scanners (
tfsec,checkov, equivalent) - plan-policy checks (Sentinel/OPA/Conftest)
- approval gates by risk class
High-impact change controls
Require elevated approval for:
- IAM privilege expansion
- network exposure/public ingress changes
- encryption disablement/key-policy weakening
- backend/state changes
- production replacement/destruction actions
Minimal OPA example
package main
deny[msg] {
r := input.resource_changes[_]
r.type == "aws_security_group_rule"
r.change.after.cidr_blocks[_] == "0.0.0.0/0"
r.change.after.from_port == 22
msg := sprintf("Public SSH is not allowed: %s", [r.address])
}
Operational governance
- serialize applies for shared foundations
- require explicit opt-in for destroy
- keep break-glass runbook and test it periodically
- retain run metadata and policy outputs for auditability