IaC compliance focuses on the security posture of your cloud resource definitions (Terraform, CloudFormation) before deployment. By analyzing templates, Cortex Cloud identifies misconfigurations that violate specific regulatory frameworks.
Supported IaC compliance standards
The IaC scanner maps findings to the following compliance standards and frameworks:
PCI DSS (Payment Card Industry Data Security Standard)
PCI DSS v3.2.1 - Payment card data protection requirements
PCI DSS v4.0 - Latest PCI DSS requirements
PCI DSS v4.0.1 - Updated PCI DSS v4.0 requirements
NIST (National Institute of Standards and Technology)
NIST 800-53 Rev4 - Security and privacy controls for federal information systems
NIST 800-53 Rev 5 - Updated security and privacy controls
NIST SP 800-171 Revision 2 - Protecting Controlled Unclassified Information
NIST SP 800-171 Revision 3 - Latest CUI protection requirements
NIST SP 800-172 - Enhanced security requirements for CUI
NIST CSF - Cybersecurity Framework
NIST CSF v2.0 - Updated Cybersecurity Framework
ISO Standards
ISO 27001:2013 - Information security management systems
ISO/IEC 27001:2022 - Latest information security management standard
HIPAA (Health Insurance Portability and Accountability Act)
Security and privacy requirements for healthcare data
GDPR (General Data Protection Regulation)
European Union data protection and privacy requirements
SOX (Sarbanes-Oxley Act)
Financial reporting and corporate governance requirements
CCPA (California Consumer Privacy Act)
California data privacy requirements
CIS (Center for Internet Security) Benchmarks
AWS:
CIS v1.2.0 (AWS)
CIS AWS 3 Tier Web Architecture Benchmark v.1.0.0
Azure:
CIS v1.1 (Azure)
CIS v1.2.0 (Azure)
CIS v1.3.0 (Azure)
CIS v1.3.1 (Azure)
CIS v1.4.0 (Azure)
CIS v1.5.0 (Azure) - Level 1
CIS v2.0.0 (Azure) Level 1
CIS v2.1 (Azure) Level 1
CIS v2.1.0 (Azure) Level 1
GCP (Google Cloud Platform):
CIS v1.0.0 (GCP)
CIS v1.1.0 (GCP)
CIS v1.2.0 (GCP)
CIS v1.3.0 (GCP)
CIS v2.0.0 (GCP) Level 1
CIS v3.0 (GCP) Level 1
CIS v3.0.0 (GCP) Level 1
CIS v4.0.0 (GCP) Level 1
GKE (Google Kubernetes Engine):
CIS v1.1.0 (GKE)
CIS v1.2.0 (GKE)
CIS v1.3.0 (GKE) - Level 1
CIS v1.4.0 (GKE) - Level 1
CIS v1.5.0 (GKE) - Level 1
OCI (Oracle Cloud Infrastructure):
CIS v1.2.0 (OCI)
CIS v2.0.0 (OCI) - Level 2
CIS v3.0.0 (OCI) - Level 2
CIS Controls
CIS Controls v7.1 - Implementation groups for cybersecurity
CIS Controls v8 - Updated cybersecurity controls
CIS Controls v8.1 - Latest CIS Controls version
Rule mapping logic
To ensure consistency between build-time and run-time security, IaC compliance relies on a unified mapping logic.
IaC rules in Cortex Cloud are mapped to corresponding runtime CSPM (Cloud) or KSPM (Kubernetes) rules.
If an IaC rule is mapped to a runtime rule, it automatically inherits the compliance standards and controls associated with that runtime rule. This ensures that a violation detected in code (IaC) is categorized under the same compliance control as if it were detected in the cloud.
Scan types
IaC compliance scanning is available in the following scan types:
Periodic scans: scheduled repository scans
PR scans: pull request validation
Branch scans: branch-specific scans
External project scans: third-party project analysis