Learn vocabulary for infrastructure compliance checks, drift detection, policy enforcement points, remediation automation, audit trails, and compliance gates in CI/CD.
0 / 5 completed
1 / 5
What is 'compliance as code' in infrastructure vocabulary?
Compliance as code (also called policy as code when focused on enforcement): encode SOC 2, PCI-DSS, CIS benchmarks, or custom security controls as code. Tools: AWS Config rules, HashiCorp Sentinel, Open Policy Agent (OPA), Chef InSpec, Ansible playbooks. Benefits: controls are version-controlled, testable, reproducible, and continuously evaluated rather than assessed once per audit cycle.
2 / 5
What is 'drift detection' in compliance as code vocabulary?
Drift detection: 'Your S3 bucket had public-access-block enabled at provisioning, but someone disabled it via the console 3 days ago — this is drift.' Tools: AWS Config (continuous evaluation), Terraform state drift (terraform plan detects drift), Chef InSpec (test infrastructure against compliance profile). Drift can indicate unauthorized changes, misconfigurations, or manual emergency fixes that were never reverted.
3 / 5
What is a 'policy enforcement point' in compliance as code vocabulary?
Policy enforcement points (PEPs) in a shift-left compliance strategy: (1) IDE/pre-commit: developer gets immediate feedback. (2) CI pipeline: policy check blocks the PR if violations found. (3) CD pipeline: compliance gate before deploying to production. (4) Runtime: admission controller (Kubernetes), service mesh authorization policy, or cloud config rule evaluates at deploy/request time. Multiple PEPs create defense in depth.
4 / 5
What is 'remediation automation' in compliance as code vocabulary?
Remediation automation levels: (1) Notify only — create ticket, send alert. (2) Guided remediation — provide instructions or a runbook link. (3) Automatic remediation — directly correct the violation (AWS Config auto-remediation SSM documents, Terraform apply to restore desired state). Auto-remediation is powerful but risky — validate it won't cause outages. Prefer notify-then-auto-remediate with a time window for human review.
5 / 5
What is a 'compliance gate' in a CI/CD pipeline vocabulary?
Compliance gate vocabulary: 'The pipeline failed at the compliance gate — conftest found 2 policy violations in the Terraform plan: S3 bucket logging is disabled and the RDS instance is not encrypted at rest. Fix these before the PR can merge.' Tools: conftest (OPA/Rego policies against Terraform plans), tfsec, checkov, Snyk IaC. Compliance gates shift compliance left — finding violations before they reach production.