Validation and Verification of Infrastructure as Code

In recent years, the development of technologies such as Infrastructure as Code (IaC) and Policy as Code (PaC) has transformed modern Information and Communication Technology infrastructures into more software-based systems. This evolution has enabled faster deployment, scalability, and simplified network management. Moreover, the growing number of Infrastructure as Code (IaC)-based solutions has created a diverse landscape, necessitating that each organization determine the most suitable solution for its needs while ensuring policy compliance before provisioning and deploying the infrastructure. PaC involves codifying security and compliance policies into executable code. By integrating policies directly into the infrastructure code, organizations can ensure that security and compliance requirements are automatically enforced, thereby reducing the risk of human error and enhancing overall governance. However, various PaC solutions tailor policy compliance checking to each specific IaC and Infrastructure Provider, leading to significant redundancy and complicating code comprehension for Security and Compliance teams. In this thesis, we define and validate an Agnostic Policy as Code (APaC) tool, where policy rules are checked regardless of the infrastructure code platforms. We demonstrate the possible use cases through a Proof of Concept (PoC) using existing IaC tools and compare the results with widespread PaC tools, highlighting the benefits of an agnostic approach. Our analysis confirms the potential of abstracting policy rules across any IaC tool or infrastructure provider, thereby aiding various stakeholders in creating simpler and less redundant policies.