7.2. Secure Resource Deployment

Governance isn't just about policies — it's about ensuring every resource deployed into your environment meets security standards before it goes live. Without secure deployment practices, developers deploy CloudFormation templates with security group rules allowing 0.0.0.0/0, create S3 buckets without encryption, and provision resources with no tags — creating governance gaps that accumulate over time. Think of secure deployment like quality control on a manufacturing line: inspecting products after they're shipped is expensive and unreliable, but building quality checks into the production process catches defects before they reach customers. What happens when deployment security is optional rather than enforced? Non-compliant resources proliferate, drift from baselines goes undetected, and remediation becomes a never-ending game of whack-a-mole.

This section covers infrastructure as code security, resource tagging strategies, centralized policy enforcement, and cross-account resource sharing.

Scenario: A developer deploys a CloudFormation template that creates an EC2 instance with a security group allowing SSH from 0.0.0.0/0. Without pre-deployment validation, the non-compliant resource goes live.

Reflection Question: Why is validating IaC templates before deployment more effective than detecting and remediating non-compliant resources after deployment?