Secure Deployments
[TBD]
Outcome
- Infrastructure deployments are reproducible and automated
- IaC is used for infrastructure provisioning
- State files are stored securely and encrypted
- Any secret or sensitive data is not hardcoded in deployment scripts or IaC files
- OIDC or short-lived credentials are used for authentication in deployment pipelines
- Deployment pipelines have least privilege access to resources they manage
- Approval processes are in place for deployments to sensitive environments (e.g., production)
- Deployment pipelines are monitored and logged for auditing purposes
Metrics
- [TBD]
Tools & Resources
- OpenPolicyAgent (Free)
Further Reading
- FacetController: How we made infrastructure changes at Lyft simple
- CI/CD SECRETS EXTRACTION, TIPS AND TRICKS
- Poisoned Pipeline Execution Attacks
- Continuous Deployment at Lyft
- Monocle: How Chime creates a proactive security & engineering culture (Part 1)
- Shifting left at enterprise scale: how we manage Cloudflare with Infrastructure as Code