Terraform is Your Auditor's Best Friend
How to use Infrastructure-as-Code to prove immutability and traceability for ISO and SOC2 audits — automatically.
·1 min read·
#Terraform#IaC#Compliance#ISO27001
The hardest part of an ISO 27001 audit isn't being compliant. It's proving you were compliant on the 14th of February at 03:42 UTC when the change happened.
Terraform, used correctly, hands the auditor the evidence on a plate.
The three properties auditors want
- Immutability — no human SSH'd in and changed it.
- Traceability — every change links to a ticket and a reviewer.
- Reproducibility — you can rebuild the exact same environment.
How IaC gives you all three for free
| Auditor question | The Terraform answer |
|---|---|
| "Who changed this firewall rule?" | git blame on the .tf file |
| "Was it reviewed?" | PR with approving reviewer |
| "When did it go live?" | Atlantis / Spacelift apply log, tied to the PR merge |
| "Can you restore Feb-14's state?" | terraform state pull from the versioned S3 bucket |
The OPA layer
Terraform alone doesn't prevent a developer from opening port 22 to 0.0.0.0/0. Add Open Policy Agent (Conftest) in CI:
package terraform.security
deny[msg] {
resource := input.resource.aws_security_group_rule[name]
resource.cidr_blocks[_] == "0.0.0.0/0"
resource.from_port <= 22
resource.to_port >= 22
msg := sprintf("SSH open to the world: %s", [name])
}
Now the auditor's question "how do you prevent insecure firewall changes?" has a one-line answer: we can't merge them.
More in Compliance & SecOps
Compliance & SecOps·2 min read
The Death of .env Files: Automated Secret Rotation with Terraform
#SecretsManager#Security
Compliance & SecOps·2 min read
NAT Gateways are Leaking Your Data (and Your Budget)
#AWS#Networking
Compliance & SecOps·1 min read
Killing the Bastion Host: Zero-Trust Access for Fintech
#ZeroTrust#AWS