* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Cloud Security](https://www.paloaltonetworks.com.au/blog/cloud-security/)
* [DevSecOps](https://www.paloaltonetworks.com.au/blog/cloud-security/category/devsecops/)
* How To Prevent the IaC Mi...

# How To Prevent the IaC Misconfiguration Snowball Effect

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fiac-misconfiguration-snowball-effect%2F)  
[](https://twitter.com/share?text=How+To+Prevent+the+IaC+Misconfiguration+Snowball+Effect&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fiac-misconfiguration-snowball-effect%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fiac-misconfiguration-snowball-effect%2F&title=How+To+Prevent+the+IaC+Misconfiguration+Snowball+Effect&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/cloud-security/iac-misconfiguration-snowball-effect/&ts=markdown)  
\[\](mailto:?subject=How To Prevent the IaC Misconfiguration Snowball Effect)  
Link copied  
By [Payton O'Neal](https://www.paloaltonetworks.com/blog/author/payton-oneal/?ts=markdown "Posts by Payton O’Neal")  
Jan 03, 2023  
4 minutes  
[DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[IaC](https://www.paloaltonetworks.com/blog/tag/iac/?ts=markdown)  
[Misconfigurations](https://www.paloaltonetworks.com/blog/tag/misconfigurations/?ts=markdown)  
[policy as code](https://www.paloaltonetworks.com/blog/tag/policy-as-code/?ts=markdown)

The goal with [infrastructure as code](https://www.paloaltonetworks.com/blog/prisma-cloud/what-is-infrastructure-as-code-the-best-way-to-fully-control-your-cloud-configuration/) (IaC) frameworks such as Terraform and CloudFormation is to make infrastructure provisioning more efficient. Through a combination of automation and either imperative or declarative configuration, IaC makes it easier to deploy the same environment consistently and repeatedly.

IaC's immutability and machine readability are huge advantages when it comes to building, deploying and testing infrastructure. It allows for storing and versioning of infrastructure, making it easier to manage, collaborate and audit. It also allows teams to test --- and secure --- infrastructure just as they would with any other code. But without the right approach, IaC can pose a disadvantage when it comes to security and compliance.

## **Misconfigurations-As-Code**

With [infrastructure as code](https://www.paloaltonetworks.com/cyberpedia/what-is-iac), all you need to deploy identical and purpose-built environments is defined and contained within your configuration files. This makes it incredibly easy to repeat and reuse at scale.

But what if that configuration is missing a security control or contains a security flaw?

When that happens, the value of using IaC to deploy at scale then becomes a nightmare when misconfigured IaC snowballs into tons of policy violations across multiple deployments or environments.
![One IaC misconfiguration in build-time can propagate across hundreds of deployments, which results in thousands of alerts for security teams to triage and fix.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/01/IaC-Misconfiguration-1.png "IaC misconfiguration")
One IaC misconfiguration in build-time cascades into thousands of security alerts.

In the figure above, you can see how a single misconfiguration pre-deployment can propagate across hundreds of deployments, resulting in thousands of alerts for security teams. This so-called "snowball effect" happens when security tooling and infrastructure development practices don't align and can negatively impact all parties involved.

### **Alert Triage Time**

With manual or script-based cloud provisioning and runtime security monitoring in place, an unencrypted S3 bucket being provisioned should result in a few alerts. However, with logging and sufficient audit trails, it's relatively easy to tie alerts to the exact resource in question and determine when, where, why and how the misconfiguration was introduced.

With cloud resources provisioned with IaC, it's not as straightforward. It's more of a challenge (or requires additional infrastructure) to find the file and exact resource block that caused the issue. And with the snowball effect of IaC, the volume of alerts is much higher, which means infosec and DevOps have to spend considerably more time triaging issues. Those issues, in turn, snowball into tons of Jira or ServiceNow tickets that developers then need to address.

### **Productivity Decrease**

By the time a ticket reaches the right developer on the right team, the code in question is likely far behind them. And in that period, they've probably lost the full context of the resource or why the change was made in the first place. So tracing their steps and switching back into that context takes time.

Then, when the change is finally made, committed and reviewed, it will need to go through your build pipeline to be deployed once again. All of this is time wasted that could be spent building new features and creating business value.

## **Shift Left or Drift Trying**

[Addressing issues at their source](https://www.paloaltonetworks.com/blog/prisma-cloud/a-primer-on-secure-devops-learn-the-benefits-of-these-3-devsecops-use-cases/) and making the most of IaC's immutability is the key to avoiding the snowball effect. Once a misconfiguration is identified, all you have to do is destroy and recreate it. That way, the old cloud resource is wiped out, a new, secure resource is put in its place and your configuration files are always aligned to what's actually deployed.

Unfortunately, this doesn't always happen. Whether a hasty change gets made during a security incident or miscommunications result in out-of-band alterations, configuration drift is inevitable. Drift occurs when a resource in a running environment no longer matches its corresponding defined configurations. Although drift doesn't always pose a security risk (often drift occurs when misconfigurations are fixed *in situ* by teams less familiar with the configuration that provisioned them), it should be avoided.

When drift occurs, your IaC code becomes less useful, and its benefits (versioning, auditability, repeatability) are no longer. Drift can also exacerbate the snowball effect of IaC. If misconfigurations aren't addressed at the source, they will be resurfaced, and the cycle repeated every single time that IaC gets deployed.

To prevent the snowball effect of IaC misconfigurations, security and development teams need to work together to [embed security as early in the DevOps lifecycle](https://www.paloaltonetworks.com/blog/prisma-cloud/addressing-security-throughout-infra-devops-lifecycle/). With the right tooling in place to periodically and continuously scan code---on developers' local workstations, within shared repositories and via CI pipelines---organizations can get visibility into misconfigurations before they're deployed. By [shifting security left](https://www.paloaltonetworks.com/cyberpedia/shift-left-security), teams can cut back on runtime errors and configuration drift and improve time-to-fix while the context is still fresh.

Interested in learning more about shifting your IaC security left? Read our [DevSecGuide to Infrastructure as Code](https://www.paloaltonetworks.com/resources/whitepapers/devsecguide-to-infrastructure-as-code)!

*** ** * ** ***

## Related Blogs

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### How To Prevent the 5 Most Common Software Supply Chain Weaknesses](https://www.paloaltonetworks.com.au/blog/cloud-security/common-software-supply-chain-weaknesses/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Top 6 Considerations for Integrating Cloud Security and GitOps](https://www.paloaltonetworks.com.au/blog/cloud-security/6-considerations-for-integrating-cloud-security-and-gitops/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Crawl, Walk, Run: Operationalizing Your IaC Security Program](https://www.paloaltonetworks.com.au/blog/cloud-security/how-to-implement-an-infrastructure-as-code-security-program/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Infrastructure as Code Security and AppSec: Streamlined DevSecOps From App to Infra](https://www.paloaltonetworks.com.au/blog/cloud-security/infrastructure-as-code-security-and-appsec-streamlined-devsecops/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### 6 Key Kubernetes DevSecOps Principles: People, Processes, Technology](https://www.paloaltonetworks.com.au/blog/cloud-security/kubernetes-devsecops-principles/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### 9 Essential Infrastructure Security Considerations for Kubernetes](https://www.paloaltonetworks.com.au/blog/cloud-security/kubernetes-infrastructure-security-considerations/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language