Checking Infrastructure Compliance

Overview

Audit infrastructure configurations against compliance frameworks (CIS Benchmarks, SOC 2, HIPAA, PCI-DSS, GDPR) using policy-as-code tools like Open Policy Agent (OPA), Checkov, and tfsec. Generate compliance reports, identify violations, and produce remediation plans for Terraform, Kubernetes, and cloud provider configurations.

Prerequisites

Policy-as-code tool installed: checkov, tfsec, opa, or kube-bench
Infrastructure-as-code files (Terraform, CloudFormation, Kubernetes manifests) in the project
Cloud provider CLI authenticated with read access to resources
Compliance framework requirements documented (CIS, SOC 2, HIPAA, PCI-DSS)
jq for parsing JSON policy outputs

Instructions

Identify the applicable compliance framework(s) based on industry and data classification
Scan Terraform files with checkov -d . or tfsec . to detect misconfigurations
Scan Kubernetes manifests for security issues: missing resource limits, privileged containers, missing network policies
Validate IAM policies for least-privilege violations using cloud-native tools (aws iam access-analyzer)
Check encryption at rest and in transit: verify S3 bucket encryption, database TLS, and EBS volume encryption
Audit logging configurations: confirm CloudTrail/Cloud Audit Logs are enabled and sent to immutable storage
Generate a compliance report mapping each finding to the relevant control (e.g., CIS AWS 2.1.1)
Produce remediation Terraform/YAML patches for each violation with severity ranking (Critical, High, Medium, Low)
Set up CI/CD integration so compliance checks block merges on Critical/High violations

Output

Compliance scan results in JSON/SARIF format for CI integration
Markdown compliance report with control mappings and pass/fail status
Remediation code patches (Terraform diffs, Kubernetes manifest updates)
OPA/Rego policy files for custom organizational rules
CI/CD pipeline step configuration for automated compliance gating

Error Handling

Error	Cause	Solution
`checkov: no Terraform files found`	Scanner run from wrong directory	Specify path explicitly with `-d path/to/terraform/`
`tfsec: failed to parse HCL`	Syntax error in Terraform files	Run `terraform validate` first to fix HCL syntax before compliance scan
`False positive on compliance check`	Rule too broad for the specific use case	Add inline skip comments (`#checkov:skip=CKV_AWS_18:Reason`) or create a `.checkov.yml` skip list
`OPA policy evaluation error`	Rego syntax error or missing input data	Test policies with `opa eval -d policy.rego -i input.json` and validate Rego syntax
`Scan timeout on large codebase`	Too many files or complex module references	Use `--compact` mode, scan directories individually, or increase timeout limits

Examples

"Run a CIS Benchmark compliance check against all Terraform files and generate a report with remediation steps for Critical findings."
"Create OPA policies that enforce: all S3 buckets must have encryption, all EC2 instances must have IMDSv2, and all security groups must not allow 0.0.0.0/0 ingress."
"Scan Kubernetes manifests for PCI-DSS compliance: verify no privileged containers, all pods have resource limits, and network policies exist for every namespace."

Resources

Checkov: https://www.checkov.io/
tfsec: https://aquasecurity.github.io/tfsec/
Open Policy Agent: https://www.openpolicyagent.org/docs/latest/
CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks
kube-bench (CIS for Kubernetes): https://github.com/aquasecurity/kube-bench

checking-infrastructure-compliance