Enhance your understanding of security best practices in Infrastructure as Code (IaC) by exploring key strategies to prevent vulnerabilities, enforce compliance, and safeguard automated environments. This quiz helps identify critical concepts and effective approaches for secure IaC deployments.
Which method is considered the most secure for handling sensitive data, such as passwords or API keys, in Infrastructure as Code files?
Explanation: Storing secrets in environment variables and ensuring they are not committed to version control helps prevent accidental exposure and unauthorized access. Embedding secrets directly into scripts or writing them in clear text comments makes them easily accessible to anyone with code access, increasing the risk of leakage. Keeping secrets in a shared spreadsheet lacks access controls and audit trails, which is insecure. Environment variables can be managed securely and are a widely recommended approach for handling secrets.
Why is adopting immutable infrastructure considered a security best practice in IaC environments?
Explanation: Immutable infrastructure ensures that deployed resources are not changed after provisioning, which reduces the risk of unauthorized modifications and helps maintain consistency and repeatability. Reducing disk storage is not the main security benefit. While immutable infrastructure may align with performance improvements, its primary focus is not optimization. Allowing administrators to bypass policies contradicts security best practices.
What is the main security benefit of conducting peer code reviews on Infrastructure as Code templates before deployment?
Explanation: Peer code reviews provide a human perspective that can catch subtle errors or security issues overlooked by automated scans. Speeding up deployment is not the key security advantage. While using the latest images is important, code reviews are not primarily intended for version enforcement. Private discussions for resource allocation are unrelated to direct security concerns in IaC.
In the context of IaC, which approach best represents applying the principle of least privilege to infrastructure resources?
Explanation: Applying the principle of least privilege means granting only the permissions that are absolutely necessary, reducing potential attack surfaces. Assigning administrative access to all users increases risk and disregards access control. Using a single credential set weakens accountability and makes tracing actions difficult. Allowing unrestricted network access exposes services to unnecessary threats.
How does implementing automated drift detection help maintain secure Infrastructure as Code environments?
Explanation: Automated drift detection compares the live environment to the declared IaC specifications, alerting teams about changes that may indicate security issues or configuration drift. Scaling resources and improving deployment speed are operational benefits, not security-focused outcomes. Archiving templates is useful for documentation, but does not actively contribute to detecting or correcting unauthorized changes.