* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Secure the Cloud](https://www2.paloaltonetworks.com/blog/category/secure-the-cloud/)
* Shift-Left with IaC Build...

# Shift-Left with IaC Build Policies in Prisma Cloud

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcloud-iac-build-policies%2F)  
[](https://twitter.com/share?text=Shift-Left+with+IaC+Build+Policies+in+Prisma+Cloud&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcloud-iac-build-policies%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcloud-iac-build-policies%2F&title=Shift-Left+with+IaC+Build+Policies+in+Prisma+Cloud&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/cloud-iac-build-policies/&ts=markdown)  
\[\](mailto:?subject=Shift-Left with IaC Build Policies in Prisma Cloud)  
Link copied  
By [Jonathan Bregman](https://www.paloaltonetworks.com/blog/author/jonathan-bregman/?ts=markdown "Posts by Jonathan Bregman")  
Jun 09, 2020  
4 minutes  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/tag/cloud-security/?ts=markdown)  
[IaC](https://www.paloaltonetworks.com/blog/tag/iac/?ts=markdown)  
[Prisma Cloud](https://www.paloaltonetworks.com/blog/tag/prisma-cloud/?ts=markdown)

[Infrastructure as Code (IaC)](https://www.paloaltonetworks.com/cyberpedia/what-is-iac) has become the most common method for building cloud environments -- and for obvious reasons. You can create a complete infrastructure for your application in less than an hour.

Beyond the ability to quickly set up a new infrastructure using just code or scripts, IaC template files have other advantages, like easily tracking code changes and providing consistency in configuration across environments.

Following best practices such as [AWS Well-Architected Framework](https://aws.amazon.com/architecture/well-architected/) or [Azure Architecture Framework](https://docs.microsoft.com/en-us/azure/architecture/framework/) can help teams rapidly deliver stable, repeatable environments at scale that avoid manual configuration dependencies. However, it's essential to implement visibility and real-time feedback for developers using IaC *before* deploying cloud environments containing security or compliance flaws. Prisma Cloud can help you do just that.

## **Build Policies in Prisma Cloud**

[Prisma Cloud IaC Build policies](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-policy-reference/configuration-policies/configuration-policies-build-phase.html) identify insecure configurations in your IaC templates, including:

* AWS CloudFormation Templates (JSON or YAML format).
* HashiCorp Terraform templates (HCL or JSON format).
* Kubernetes App manifests (JSON or YAML format).

This helps ensure security issues are identified before actual resources are deployed in runtime environments. Build policies also include remediation instructions on how to fix particular security issues once they are detected. Here's how:

### Integrated Plugins/Extensions

[Prisma Cloud DevOps plugins](https://www.paloaltonetworks.com/blog/2020/03/cloud-devops-plugins/) provide real-time feedback for DevOps/developers, enabling them to scan and fix security issues directly in their DevOps processes, going from integrated developer environment (IDE) → Git Repository → CI/CD without needing any additional security tools to detect problems.

Install and configure the [Prisma Cloud plugins](https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-devops-security/prisma-cloud-plugins.html#idf361c24b-71ca-48f5-bf7d-4b50fc94cb30) for popular IDEs such as VScode and IntelliJ; Source Control Management systems such as Github and GitLab; and CI/CD tools such as Jenkins, CircleCI, Azure DevOps and GitLab.

### Prisma Cloud IaC API

Interact with the Prisma Cloud IaC scanning API endpoint using tools such as Curl, shell scripts, or Postman to inspect IaC templates. The Prisma Cloud team recommends that you use the published plugins/extensions to perform IaC scanning, but you can use the IaC APIs directly for integrating with custom tools or specific use cases. See the documentation for [Prisma Cloud IaC Scan REST API](https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-devops-security/use-the-prisma-cloud-iac-scan-rest-api.html#id2ac22135-970c-4a14-a597-c67588bb21a7) for more detail.

### IaC Scan via twistcli

If you prefer CLI for IaC scan functionality in your DevOps processes, we have recently added support for IaC Scans in twistcli. Currently, there are more than 100 build policies available out-of-the box that map to CIS standards for AWS, Azure and Google Cloud. In addition, you can create custom build policies that can be utilized during IaC scans.

## **An Example Policy**

When you navigate to the Policy tab in Prisma Cloud, you will see filters to identify build policies with just an IaC scan component or "run and build" policies that include both relational query language (RQL) rules and IaC scan rules. In this example, I've chosen to surface [Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes) policies.

![This screenshot shows an example of the Policy tab in Prisma Cloud, surfacing Kubernetes policies.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/06/cloud-policies.png)

Next, you are shown all policies, which cloud platform they can cover and additional details like policy severity. In my example, I am going to add a policy on running privileged containers, as shown in the screenshot below:

![This screenshot shows what it looks like to add a policy on running privileged containers in Prisma Cloud. This is one example of how the software can make it easy to implement IaC build policies.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/06/add-config.png)

## **More Prisma Cloud Capabilities**

### Support for Terraform 0.12

We have also added support for new Terraform 0.12 features -- new expression syntax, iteration constructs and generalized type systems. A new, improved IaC scan now supports multiple file scans as zip archives, multiple modules, custom variables files and runtime variables.

### GitLab Plugins

We have also released two plugins for GitLab. The GitLab SCM plugin offers IaC scan check during merge request creation and updates. The GitLab CI/CD plugin offers IaC scan during GitLab pipelines as a custom task. Like all our other Prisma Cloud DevOps plugins for [CI/CD](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security), GitLab plugins allow users to set pipeline failure criteria to include security scans as a pass or fail step in the pipeline.

## **The Importance of Integration**

The benefits of IaC for DevOps are well known. It's important to ensure your new infrastructure is [secure and compliant as early as possible](https://www.paloaltonetworks.com/blog/2020/03/cloud-native-security-platform-2/), especially since detecting security issues or misconfigurations in the early build stages can save *significant* resources and greatly reduce the security burden on SecOps. When choosing security solutions for IaC, make sure they integrate with your current pipeline to avoid losing the automation and agility you've already built into your daily DevOps workflows. You can read more about the risks and benefits of IaC templates in the spring 2020 [Unit 42 Cloud Threat Report](https://www.paloaltonetworks.com/resources/research/cloud-threat-report-spring-2020).

*** ** * ** ***

## Related Blogs

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Cloud Native Security: Intention vs. Practice](https://www2.paloaltonetworks.com/blog/cloud-security/cloud-native-security-intention-practice/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Mapping the Cloud Native Security Genome](https://www2.paloaltonetworks.com/blog/2020/06/cloud-native-security-genome/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Cloud Security 2021: 4 Key Trends You Shouldn't Miss](https://www2.paloaltonetworks.com/blog/2020/04/cloud-security-2021/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Prisma Cloud Native Security Platform Embeds Security into DevOps Lifecycle](https://www2.paloaltonetworks.com/blog/cloud-security/cloud-native-security-platform-2/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### The Role of Identity Access Management (IAM) in Cloud Security](https://www2.paloaltonetworks.com/blog/2020/02/cloud-iam-security/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Securing the Software Development Supply Chain](https://www2.paloaltonetworks.com/blog/cloud-security/cloud-software-development-supply-chain/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language