Checking Infrastructure Compliance

Overview

Audit infrastructure configurations against compliance frameworks (CIS Benchmarks, SOC 2, HIPAA, PCI-DSS, GDPR) using policy-as-code tools like Open Policy Agent (OPA), Checkov, and tfsec. Generate compliance reports, identify violations, and produce remediation plans for Terraform, Kubernetes, and cloud provider configurations.

Prerequisites

• Policy-as-code tool installed: checkov, tfsec, opa, or kube-bench
• Infrastructure-as-code files (Terraform, CloudFormation, Kubernetes manifests) in the project
• Cloud provider CLI authenticated with read access to resources
• Compliance framework requirements documented (CIS, SOC 2, HIPAA, PCI-DSS)
• jq for parsing JSON policy outputs

Instructions

1. Identify the applicable compliance framework(s) based on industry and data classification
2. Scan Terraform files with checkov -d . or tfsec . to detect misconfigurations
3. Scan Kubernetes manifests for security issues: missing resource limits, privileged containers, missing network policies
4. Validate IAM policies for least-privilege violations using cloud-native tools (aws iam access-analyzer)