Compliance and Policy Testing

2 min read Infrastructure & DevOps Security

Compliance and Policy Testing

Compliance testing ensures IaC meets regulatory requirements and organizational policies. Unlike generic security testing, compliance validation checks specific controls mandated by frameworks like PCI-DSS, HIPAA, or SOC 2. These tests must understand both technical implementations and compliance interpretations.

Automated compliance frameworks map regulatory requirements to technical controls. Each requirement translates into specific IaC patterns that tools can validate. For example, PCI-DSS encryption requirements become checks for encryption-at-rest configurations across all data storage resources.

# compliance-policies.yaml - Compliance policy definitions
policies:
  pci-dss:
    - id: PCI-DSS-3.4
      description: "Render PAN unreadable anywhere it is stored"
      rules:
        - resource_type: aws_s3_bucket
          required_properties:
            server_side_encryption_configuration:
              - rule:
                  apply_server_side_encryption_by_default:
                    sse_algorithm: ["AES256", "aws:kms"]
                    
        - resource_type: aws_rds_cluster
          required_properties:
            storage_encrypted: true
            kms_key_id: "!empty"
            
        - resource_type: aws_ebs_volume
          required_properties:
            encrypted: true
            
    - id: PCI-DSS-8.2.3
      description: "Passwords must meet complexity requirements"
      rules:
        - resource_type: aws_db_instance
          forbidden_properties:
            master_password: "*"  # Must use Secrets Manager
            
  hipaa:
    - id: HIPAA-164.312(a)(2)(iv)
      description: "Encryption and decryption of PHI"
      rules:
        - resource_type: aws_s3_bucket
          required_properties:
            server_side_encryption_configuration: "!empty"
            versioning_configuration:
              status: "Enabled"
              
        - resource_type: aws_dynamodb_table
          required_properties:
            server_side_encryption:
              enabled: true
              
    - id: HIPAA-164.312(b)
      description: "Audit controls"
      rules:
        - resource_type: aws_s3_bucket
          required_properties:
            logging_configuration: "!empty"
            
        - resource_type: aws_rds_cluster
          required_properties:
            enabled_cloudwatch_logs_exports: ["!empty"]

# Compliance test implementation
compliance_tests:
  - name: "PCI-DSS Encryption Validation"
    test: |
      def test_pci_encryption(resources):
          violations = []
          for resource in resources:
              if resource['type'] == 'aws_s3_bucket':
                  if not has_encryption(resource):
                      violations.append({
                          'resource': resource['name'],
                          'requirement': 'PCI-DSS-3.4',
                          'message': 'S3 bucket must have encryption enabled'
                      })
          return violations

Continuous compliance monitoring extends testing beyond deployment time. Tools can continuously validate that deployed infrastructure maintains compliance with IaC definitions. Drift detection identifies manual changes that might violate compliance requirements, enabling rapid remediation.