Key concepts

Integrated Infrastructure as Code (IaC) is a new version of Snyk IaC that - together with Snyk Cloud - secures cloud configurations across the entire SDLC, from code to deployed cloud environments. Integrated IaC is currently in closed beta. Please reach out to your account team if you would like access.

Snyk Integrated IaC and Cloud have a number of unique concepts, separate from Snyk core concepts such as Projects and Targets.

Environments

A Snyk Environment is an organizing concept that equates to:

  • For integrated IaC environments: a SCM repository, CLI test report, or Terraform Cloud run task report

  • For deployed Cloud environments: an Amazon Web Services (AWS) account, Azure subscription, or Google Cloud project.

Unlike a Snyk Project, an environment contains scannable entities known as resources. Resources can be interrelated; one resource can be a child or sibling resource of another. Resources also have attributes that can be tested, and these attributes can be misconfigured, which generates Issues. This makes environments and their resources different from Projects.

A Snyk Environment also includes integration settings for a cloud provider. For example, each environment can represent an integration with a different AWS account.

Use the /cloud/environments Snyk API endpoint to retrieve a list of all environments and optionally filter by attribute, such as name and scan status.

Currently supported cloud providers:

Resources

A resource is a cloud infrastructure entity such as an AWS S3 bucket, Identity & Access Management (IAM) role, or Virtual Private Cloud (VPC) flow log.

On each scan, Snyk records the configuration attributes of each resource in an environment.

You can use the /cloud/resources Snyk API endpoint to retrieve a list of all resources for an organization and optionally filter by an attribute such as environment ID, resource ID, or resource type.

For a list of supported resource types for Cloud environments, see the following:

Rules

A security rule checks cloud infrastructure and infrastructure as code (IaC) for misconfigurations that can lead to security problems. Snyk has a set of predefined rules that can be applied to integrated IaC and cloud environments.

An example rule is “S3 bucket does not have all block public access options enabled.” Snyk can scan the configuration of an AWS S3 bucket to see if it fails the rule, and so is vulnerable to a data breach.

Issues

An issue represents a misconfiguration that can lead to a security problem. It is associated with a resource and a rule. For instance, an AWS S3 bucket can be tested against the rule “S3 bucket does not have all block public access options enabled.” If the bucket fails the rule, Snyk opens a cloud issue.

After Snyk creates an issue, Snyk keeps it open until the misconfiguration is fixed, at which point the issue is closed.

You can view your Organization's issues in the Snyk Web UI. See View cloud issues in the Snyk Web UI.

Compliance standard

A compliance standard is a framework that establishes guidelines and controls for organizations to secure their IT systems and infrastructure. Compliance standards are “versioned,” with versions being released at various cadences. Examples: NIST 800-53 (vRev5), CIS AWS Foundations Benchmark (v1.4.0). Snyk provides a Cloud Compliance Issues report.

See supported compliance standards.

Compliance control

A compliance control is a specific recommendation or guideline from a compliance standard that prescribes how an organization should secure systems or infrastructure. Example: control 2.1.5 of CIS AWS Foundations Benchmark (v1.4.0) is “Ensure that S3 Buckets are configured with ‘Block public access (bucket settings)’”. To be compliant with this control, an organization would enable the “block public access” settings for all of their S3 buckets.

Compliance mapping

Snyk “maps” security rules to compliance controls, which means each rule is associated with one or more controls, and each control is associated with one or more rules.

For example, control 2.1.5 of CIS AWS Foundations Benchmark (v1.4.0) is “Ensure that S3 Buckets are configured with ‘Block public access (bucket settings)’” and it maps to the security rule SNYK-CC-00195, which is “S3 bucket does not have all block public access options enabled.”

Resource mapping

A resource mapping represents a connection from a Cloud resource to an IaC resource. Snyk determines these connections with mapping artifacts that are generated from Terraform state files when the snyk iac capture command is executed locally or in a CI pipeline. Mapping artifacts include details, such as resource IDs, that Snyk utilizes to derive resource mappings. Snyk triggers mapping runs when mapping artifacts are created/updated, or when Cloud environments are created/updated, which in turn creates/updates/deletes resource mappings for a Snyk Organization. See Fix Cloud issues in IaC.

Last updated

Was this helpful?