Infrastructure as Code and Automation

What the Exam Is Really Testing

How many times can a human manually configure a firewall before they make a mistake? And once that mistake is made, how long before anyone notices?

That is the problem Infrastructure as Code solves — and the problem it can also amplify.

Manual configuration is the enemy of consistent security. Infrastructure as Code makes security repeatable, auditable, and enforceable at scale.

Questions in this area test whether you can identify when automation prevents human error and when it amplifies it.

Infrastructure as Code Principles

Infrastructure as Code (IaC) defines infrastructure — servers, networks, storage, security groups — as machine-readable configuration files rather than manual processes.

Why It Matters for Security

• Consistency — Every deployment is identical. No manual configuration errors, no forgotten hardening steps, no one-off exceptions.
• Version control — Infrastructure definitions are stored in repositories (Git). Every change is tracked, reviewed, and reversible.
• Auditability — You can compare the current state of infrastructure against the approved template at any time.
• Repeatability — Disaster recovery becomes faster because environments can be recreated from code rather than rebuilt manually.

Declarative vs Imperative

Declarative IaC defines the desired end state. The tool figures out how to get there. Example: Terraform, CloudFormation. You say "I want three servers with these settings." The tool creates them.

Imperative IaC defines the steps to reach the desired state. Example: scripting with Ansible playbooks or Bash scripts. You say "Create server A, then configure setting B, then open port C."

Security advantage of declarative: the tool can detect when reality differs from the defined state and correct it automatically.

Configuration Management

Configuration management tools enforce and maintain the desired state of systems across an environment.

Examples: Ansible, Puppet, Chef, SaltStack.

Security applications:

• Baseline enforcement — Ensure every server meets the approved security baseline (disabled services, firewall rules, user accounts)
• Automated remediation — If a system drifts from the baseline, the tool automatically corrects it
• Compliance verification — Generate reports showing which systems comply with the defined configuration
• Secrets management — Securely distribute credentials, certificates, and API keys without hardcoding them

The exam expects you to recognize that configuration management eliminates configuration drift — the gradual divergence of systems from their approved state over time.

Version Control for Infrastructure

Storing infrastructure definitions in version control provides security benefits beyond code management:

• Change tracking — Every infrastructure modification is recorded with who changed it, when, and why
• Peer review — Infrastructure changes go through pull requests and code reviews before deployment
• Rollback capability — If a change introduces a vulnerability, you can revert to the previous known-good state
• Separation of duties — Different teams can review and approve changes before they are applied

This is GitOps — using Git as the single source of truth for both application code and infrastructure configuration.

Software-Defined Networking (SDN)

SDN separates the network control plane (decision-making) from the data plane (traffic forwarding). Network behavior is defined in software rather than configured on individual hardware devices.

Security Implications

• Centralized policy enforcement — Security rules are defined once and applied across the entire network from a central controller
• Rapid response — Network segmentation and access rules can be changed programmatically in seconds, not hours
• Microsegmentation — SDN enables fine-grained network segmentation at the workload level, not just the subnet level
• Controller security — The SDN controller becomes a high-value target. If compromised, an attacker controls the entire network

The exam tests whether you understand both the security benefits (centralized control, rapid response) and the risks (controller as a single point of failure and attack).

Automated Security Testing in CI/CD

CI/CD (Continuous Integration/Continuous Deployment) pipelines automate the process of building, testing, and deploying software. Security testing integrated into these pipelines catches vulnerabilities before code reaches production.

Security Testing Stages

• Static Application Security Testing (SAST) — Analyzes source code for vulnerabilities without executing it. Runs early in the pipeline during the build phase.
• Dynamic Application Security Testing (DAST) — Tests the running application by simulating attacks. Runs later in the pipeline against deployed test environments.
• Software Composition Analysis (SCA) — Identifies vulnerabilities in third-party libraries and dependencies. Catches known CVEs in open-source components.
• Infrastructure scanning — Validates IaC templates for security misconfigurations before deployment (open security groups, missing encryption, overly permissive IAM roles).

Shift Left

"Shift left" means moving security testing earlier in the development process. Instead of finding vulnerabilities in production, you catch them during development.

Benefits: vulnerabilities are cheaper to fix early, fewer security issues reach production, developers learn secure coding practices through immediate feedback.

Template Validation and Drift Detection

Template Validation

Before deploying IaC templates, they should be validated against security policies:

• Are all storage resources encrypted?
• Are security groups overly permissive (0.0.0.0/0)?
• Are logging and monitoring enabled?
• Are IAM roles following least privilege?

Tools scan templates and block deployment if they violate security policies. This is a preventive control — it stops misconfigurations before they exist.

Drift Detection

Configuration drift occurs when the actual state of infrastructure diverges from the defined state in code. Causes include:

• Manual changes made directly to systems (bypassing IaC)
• Emergency fixes applied without updating the code
• Automated processes that modify configurations

Drift detection compares the current state to the IaC definition and flags differences. Some tools automatically remediate drift by reapplying the approved configuration.

Exam significance: drift detection is a detective control. It identifies when systems no longer match their approved baseline.

Pattern Recognition

When you see IaC or automation scenarios on the exam:

• Inconsistent configurations — The answer involves IaC or configuration management to enforce baselines
• Untracked infrastructure changes — The answer involves version control, audit logging, or drift detection
• Vulnerability found in production — The answer involves shift-left testing or CI/CD security integration
• Network segmentation at scale — The answer involves SDN or microsegmentation

Trap Patterns

Watch for these common traps:

• "IaC eliminates all misconfigurations" — IaC can codify misconfigurations. If the template is wrong, every deployment is wrong. Template validation is essential.
• "Automation replaces security teams" — Automation handles repetitive tasks. Humans still design policies, review changes, and respond to novel threats.
• "SDN is always more secure than traditional networking" — SDN centralizes control, which creates a single point of failure. The controller must be heavily secured.
• Confusing drift detection with drift prevention — Detection identifies drift after it happens. Prevention (immutable infrastructure, locked-down access) stops it from occurring.

Scenario Practice

Question 1

A security audit reveals that production servers have different firewall rules than what is defined in the organization's IaC templates. Some servers have additional ports open that were added manually during troubleshooting.

What does this situation represent?

A. A zero-day vulnerability in the firewall
B. Configuration drift from the approved baseline
C. A successful lateral movement attack
D. An error in the IaC template syntax

Question 2

A development team deploys a new cloud environment using an IaC template. After deployment, a security scan reveals that the database storage is not encrypted and the security group allows inbound traffic from any IP address.

What control should have prevented this?

A. Post-deployment penetration testing of the database
B. Pre-deployment template validation against security policies
C. Manual review of the cloud console after deployment
D. Runtime application security testing during development

Question 3

An organization wants to ensure that every infrastructure change is reviewed by a security team member before being applied to production.

What approach BEST supports this requirement?

A. Grant the security team administrator access to all production systems
B. Store IaC in version control and require security team approval on pull requests
C. Schedule monthly security reviews of all infrastructure configurations
D. Deploy an intrusion detection system on all production servers

Key Takeaway

IaC makes security repeatable, auditable, and enforceable at scale — but only when the templates are validated before deployment, changes are tracked in version control, drift is detected and corrected, and security testing is woven into the pipeline. Automation amplifies whatever you feed it, good configurations and bad ones alike.