TESTING-BASED PREVENTION OF MISCONFIGURATION THREATS IN AWS INFRASTRUCTURE AS CODE
DOI:
https://doi.org/10.28925/2663-4023.2025.29.887Keywords:
Cloud Security, Infrastructure as Code (IaC), Misconfiguration Prevention, DevSecOps, AWS Security, Automated Security Testing, Policy-as-Code, Security Configuration ValidationAbstract
Misconfigured cloud infrastructure has emerged as a prevalent and impactful threat vector in cybersecurity. In particular, organizations deploying services on Amazon Web Services (AWS) often face significant security risks due to incorrectly configured access controls, insufficient logging, weak network segmentation, and the absence of critical protections such as Web Application Firewalls (WAF). Despite the widespread adoption of Infrastructure as Code (IaC) tools (e.g., Terraform, AWS CloudFormation) to enforce predictable, version-controlled deployments, these IaC configurations typically undergo little to no systematic security testing. Unlike application code—which routinely undergoes unit, integration, and security testing—infrastructure code is seldom tested beyond basic static analysis or post-deployment monitoring. As a result, critical security misconfigurations can remain undetected until they are exploited by attackers. To address this gap, this paper proposes a novel approach termed "Infrastructure as Tested Code." By applying proven software testing techniques—such as test assertions and continuous integration workflows—to IaC, our framework enables pre-deployment validation of an AWS environment’s security posture. We develop and evaluate a proof-of-concept implementation that automates security checks for Terraform-defined AWS resources, focusing on key configurations including WAF rules, Identity and Access Management (IAM) policies, S3 bucket permissions, and security group rules. This test suite is built with open-source tools (Chef InSpec and AWS SDKs) and runs within a CI/CD pipeline using LocalStack to emulate AWS services. Through this approach, developers and DevSecOps teams can detect and remediate misconfigurations early in the development lifecycle, long before infrastructure reaches a production environment. Our experimental evaluation shows that integrating automated security tests into the DevOps pipeline significantly strengthens cloud security and mitigates misconfiguration-driven vulnerabilities. Compared to traditional static analysis tools, our approach offers greater flexibility, supports environment-specific policies, and allows developers to codify custom, testable security assertions. Even a minimal test suite proved effective in catching high-risk misconfigurations that static checks overlooked. This paradigm complements existing cloud security tools (such as AWS Config, Checkov, and other policy-as-code frameworks) and can be seamlessly integrated into DevSecOps pipelines. Finally, the paper provides a detailed implementation guide, a real-world case study, and an analysis of practical trade-offs. We conclude that just as test-driven development improved software reliability, adopting a test-driven approach to infrastructure can become a critical strategy for proactively securing cloud environments. This work lays the groundwork for future research into formalizing security testing practices for IaC, benchmarking IaC security test coverage, and developing reusable libraries of security test assertions for AWS.
Downloads
References
Wright, D. (2020). The state of cloud security 2020 report: Understanding misconfiguration risk. Cloud Security Alliance. https://cloudsecurityalliance.org/blog/2020/05/05/the-state-of-cloud-security-2020-report-understanding-misconfiguration-risk/
Thales. (2024). Cloud security in 2024: Addressing the shifting landscape. Cloud Security Alliance. https://cloudsecurityalliance.org/blog/2024/06/27/cloud-security-in-2024-addressing-the-shifting-landscape
Stella, J. (2019). A technical analysis of the Capital One cloud misconfiguration breach. Cloud Security Alliance. https://cloudsecurityalliance.org/blog/2019/08/09/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach/
War, A., Diallo, A., Habib, A., Klein, J., & Bissyandé, T. F. (2025). Vulnerabilities in infrastructure as code: What, how many, and who? Empirical Software Engineering, 30(5), Article 120. https://doi.org/10.1007/s10664-025-10672-8
Verdet, A., Hamdaqa, M., Da Silva, L., & Khomh, F. (2025). Assessing the adoption of security policies by developers in Terraform across different cloud providers. Empirical Software Engineering, 30, Article 74. https://doi.org/10.1007/s10664-024-10610-0
OWASP (Open Web Application Security Project). (2021). Infrastructure as Code Security Cheat Sheet. OWASP Cheat Sheet Series. https://cheatsheetseries.owasp.org/cheatsheets/Infrastructure_as_Code_Security_Cheat_Sheet.html
Madnick, S. E. (2020). A case study of the Capital One data breach (Working Paper CISL 2020 07). MIT Cybersecurity at MIT Sloan. https://web.mit.edu/smadnick/www/wp/2020-07.pdf
Pahl, C., Gunduz, N. G., Sezen, Ö. C., Ghamgosar, A., & El Ioini, N. (2025). Infrastructure as Code – Technology review and research challenges. In Proceedings of the 15th International Conference on Cloud Computing and Services Science (CLOSER 2025) (pp. 151–158). SciTePress. https://doi.org/10.5220/0013247700003950
AWS Labs. (n.d.). AWS Config Rule Development Kit (RDK) [Computer software]. GitHub. https://github.com/awslabs/aws-config-rdk
Guffey, J. & Li, Y. (2023). Cloud Service Misconfigurations: Emerging Threats, Enterprise Data Breaches and Solutions. https://doi.org/10.1109/CCWC57344.2023.10099296
Yeboah-Ofori, A. et al. (2024). Fortifying Cloud DevSecOps Security Using Terraform Infrastructure as Code Analysis Tools (accepted version). https://doi.org/10.1109/ICECER62944.2024.10920371
Rahman, A. & Williams, L. (2021). “Different Kind of Smells: Security Smells in Infrastructure as Code Scripts,” IEEE Security & Privacy, 19(3), 33-41. https://doi.org/10.1109/MSEC.2021.3065190
SentinelOne. (2025). 50+ Cloud Security Statistics in 2025. SentinelOne. https://www.sentinelone.com/cybersecurity-101/cloud-security/cloud-security-statistics/
Kostiuk, Yu. V., Skladannyi, P. M., Bebeshko, B. T., Khorolska, K. V., Rzaieva, S. L., & Vorokhob, M. V. (2025). Information and communication systems security. [Textbook] Kyiv: Borys Grinchenko Kyiv Metropolitan University.
Kostiuk, Yu. V., Skladannyi, P. M., Hulak, H. M., Bebeshko, B. T., Khorolska, K. V., & Rzaieva, S. L. (2025). Information security systems. [Textbook] Kyiv: Borys Grinchenko Kyiv Metropolitan University.
Hulak, H. M., Zhyltsov, O. B., Kyrychok, R. V., Korshun, N. V., & Skladannyi, P. M. (2023). Enterprise information and cyber security. [Textbook] Kyiv: Borys Grinchenko Kyiv Metropolitan University.
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Іван Пархоменко, Михайло Савонік
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
