Meeting Teams Where They Are

Until now, ControlMonkey’s automation engine managed the full Infrastructure as Code (IaC) lifecycle –  plan, apply, and governance – through our managed pipeline. With the new support for IaC Pipeline Integration into customers’ existing pipelines, ControlMonkey now connects directly to the pipelines you already use –  Jenkins, GitHub Actions, GitLab CI, or Atlantis.

We call this Bring Your Own Pipeline (BYOP) model –  a way for teams to keep their existing workflows while adding ControlMonkey’s policy, visibility, and audit layers on top. The new IaC Pipeline Integration seamlessly fits into this approach.

Your pipeline stays the same. ControlMonkey adds governance, audit and visibility around it.

Introducing IaC Pipeline Integration

ControlMonkey can connect directly with your CI/CD systems to evaluate IaC plans, enforce policies, and centralize visibility across all environments. This new IaC integration ensures your pipeline is part of a robust infrastructure.

Key Capabilities

• Works with any IaC pipeline – Integrate with Jenkins, GitHub Actions, GitLab CI, or Atlantis or your home-grown solution and include IaC Pipeline integration.
  
• Built-in policy evaluation – Automatically check plans against cost, compliance, and security rules and provide feedback loop.
  
• Unified visibility – Track all plans and apply across teams from one dashboard of your existing pipeline and controlmonkey.
  
• No pipeline migration required – Integrate ControlMonkey in minutes, with no pipeline migration required with no need for training or enablement for the wider team. 

“Our goal isn’t to change the way teams work – it is to strengthen it. That’s why we added IaC Pipeline Integration to ControlMonkey to help with delivery flows to add governance, visibility, and audit control – not slow team down.”

Ori Yemini,

CTO

How does IaC Pipeline Integration Works?

ControlMonkey’s Integration – How does it work?

1. Keep your existing pipeline.
   Continue running Terraform, OpenTofu, or other IaC frameworks in Jenkins, GitHub Actions, GitLab CI, or Atlantis –  no change to your setup.
   
2. Add a ControlMonkey step after the plan.
   After your pipeline runs the plan phase, send the plan output to ControlMonkey through a simple API call.
   
3. ControlMonkey evaluates the plan.
   The platform checks the plan against defined cost, security, and compliance policies, then returns a clear result and detailed findings.
   
4. Run Terraform/OpenTufo apply as usual.
   Your pipeline continues to apply infrastructure changes as before.
   
5. Send apply logs for visibility.
   Apply logs are sent to ControlMonkey, creating a complete audit trail and deployment history across environments. This is a crucial step of IaC Pipeline Integration.

This setup takes just a few configuration lines. After that, your pipelines gain ControlMonkey’s governance, compliance, and audit capabilities –  without moving or refactoring anything.

Benefits of IaC Pipeline Integration to ControlMonkey

IaC Pipeline Integration gives organizations a consistent governance layer across their   deployments. ControlMonkey provides a unified view of infrastructure activity –  ensuring every deployment is compliant, traceable, and auditable. With the integration of IaC pipelines, these benefits expand even further.

Teams can:

• Apply cost, security, and compliance rules consistently across environments.
• Review every change from one interface.
• Provide instant audit evidence for SOC 2, ISO 27001, or internal compliance.
• Detects configuration drift and prevents policy violations before they reach production.
  

Ready to connect your pipeline?

Connect ControlMonkey to your existing IaC pipelines and standardize governance across Terraform, OpenTofu, and beyond. Join our next Product Showdown to see it in action

We’re excited to introduce the Security Posture Dashboard: unified view of existing Cloud vulnerabilities across your cloud accounts, regions, and vendors. The goal is to give Security and DevSecOps teams a clear, detective lens into their current security posture, so they can understand the risks already present in their environments and decide where to focus first.

The Security Posture Dashboard surfaces all vulnerabilities in your cloud infrastructure, regardless of Infrastructure as Code (IaC) coverage. This complements the IaC Risk Index, which focuses on the intersection of vulnerabilities and IaC coverage – showing which issues could be prevented by shifting to automation vulnerabilities and IaC coverage. It shows which risks can be removed by using automation.

While some vendors help you see what’s missing from IaC, ControlMonkey Iac Platform shows you every security exposure across your cloud whether IaC-managed or not.

Introducing Security Posture Dashboard

With the new dashboard, you can:

• Unify visibility into vulnerabilities across every cloud environment.
• Drill down instantly by account, region, vendor, or resource type.
• Filter by severity to prioritize the most urgent exposures.
• Spot misconfigurations such as public IPs, open ports, or weak databases setups.
• Connect findings to IaC strategy and prevent issues with automation and quality gates.

Linking Cloud Security to IaC Coverage

By combining the Security Posture Dashboard with the IaC Risk Index, organizations can see not only what risks exist, but also how much those risks shrink when infrastructure is fully governed by IaC.

• Security teams and DevSecOps gain a complete picture of all vulnerabilities in the cloud – regardless of IaC coverage.
  
• Cloud and DevOps leaders can demonstrate the measurable reduction in risk when moving workloads into IaC pipelines.

For Cloud and DevOps leaders, the IaC Risk Index adds an essential layer of context. By showing the overlap between vulnerabilities and IaC coverage, we can see which risks we can prevent. This creates a clear link between using IaC and lower security risks. It gives leaders the proof they need to push for automation, improve governance, and show progress to stakeholders.

Learn More about Security Posture Dashboard

Explore the new Security Posture Dashboard in our upcoming Product Showdown.

With customers like Rapyd, Coralogix, and ReasonLabs already benefiting from compliance visibility, ControlMonkey is raising the bar for proactive cloud governance.

For teams managing their Terraform, OpenTofu, or Terragrunt environments, compliance is often a moving target. The new Cloud Compliance Dashboard in ControlMonkey delivers a unified, drill-down view into your compliance posture across AWS, Azure, and GCP helping you identify gaps before they turn into risks.

Introducing Cloud Compliance Dashboarding

The Compliance Dashboard gives DevOps and Cloud managers the ability to select relevant standards, track consolidated scores, and drill down into failed controls and resources.

Supported frameworks include:

• CIS Benchmarks (2.0, 2.1, 3.0)
• PCI DSS 4.0
• HIPAA Security Rule
• MITRE ATT&CK
• ENS_RD2022 (Spanish National Security Framework)
• DORA Regulation
• And more – Full List below

Teams can move from high-level compliance scores down to specific failed checks, pinpoint which resources triggered non-compliance (for example, an exposed EC2 instance), and shift compliance from reactive audits to proactive prevention.

Stay Ahead with Cloud Governance and Infrastructure Control

The dashboard provides decision-makers with measurable clarity. I Teams can continuously check compliance instead of just reacting to audit findings. They can enforce IaC policies on a large scale and strengthen infrastructure pipelines. This means:

• Improved visibility into your compliance score
• Reduced risk with drill-down checks at the resource level
• IaC alignment through proactive enforcement
• Scalable governance across multi-cloud environments

“When teams gain full visibility and proactive compliance controls, they stop reacting to problems and start preventing them. That’s how you consistently raise your compliance score.” said Ori Yemini, CTO, ControlMonkey

Customer Perspectives

2 of Control monkey customers already enjoying full IaC coverage visibility:

More IaC coverage means fewer security issues — period. What stood out with ControlMonkey was how easy it became to do things the right, modern way. When infrastructure and security teams can finally collaborate by design, that’s when security actually works

Nir Rothenberg

CISO

As a company that manages huge clusters of AWS resources, the ControlMonkey Platform and specifically its GitOps pipeline capabilities is an integral part of our infrastructure deployment process, enabling us to shift left our infrastructure policies, best practices, and guardrails to make sure our production environment is stable, compliant and secure

Yoni Farin

Coralogix

See it for yourself

Join our next Product Showdown to experience the Cloud Compliance Dashboard in action.

Supported Frameworks include:

Find below full list of framework support by cloud provider:

AWS

• CISA
• SOC 2
• CIS Benchmarks (1.4, 1.5, 2.0, 3.0, 4.0.1, 5.0)
• MITRE ATT&CK
• GDPR
• AWS Foundational Security Best Practices
• ISO/IEC 27001:2013 & 2022
• KISA ISMS-P 2023 (incl. Korean version)
• HIPAA Security Rule
• GxP 21 CFR Part 11
• GxP EU Annex 11
• NIST 800-171 Rev 2
• NIST 800-53 Rev 4 & Rev 5
• PCI DSS 4.0 & PCI DSS 3.2.1
• AWS Well-Architected Framework (Security & Reliability Pillars)
• AWS Account Security Onboarding
• AWS Foundational Technical Review
• AWS Audit Manager Control Tower Guardrails
• NIST Cybersecurity Framework (CSF) 1.1
• ENS_RD2022
• RBI Cyber Security Framework
• FFIEC Cybersecurity Assessment
• FedRAMP (Low & Moderate, Rev 4)
• NIS2 Directive

Azure

• PCI DSS 4.0
• SOC 2
• ISO/IEC 27001:2022
• CIS Benchmarks (2.0, 2.1, 3.0, 4.0)
• ENS_RD2022
• MITRE ATT&CK
• NIS2 Directive

GCP

• MITRE ATT&CK
• SOC 2
• CIS Benchmarks (2.0, 3.0, 4.0)
• ENS_RD2022
• PCI DSS 4.0
• ISO/IEC 27001:2022
• NIS2 Directive

Azure Organization Integration is now available in ControlMonkey, making it easier than ever for enterprises to govern and scale their Azure environments. For teams managing their Terraform, OpenTofu, or Terragrunt deployments across multiple subscriptions, this integration eliminates the need to onboard subscriptions one by one – delivering instant visibility, compliance, and automation at scale.

Introducing Azure Organization Integration

With Azure Organization Integration, ControlMonkey now supports seamless onboarding across dozens—or even hundreds—of Azure subscriptions in just a click.
You can also control what subscriptions to connect to ControlMonkey by choosing one or more Azure Management Groups.

Top benefits include:

• One-click onboarding for all Azure subscriptions
• Unified cloud inventory across the entire Azure footprint
• Automated backups spanning every subscription
• Consistent IaC governance across cloud environments
• Enterprise-ready scale to support regulated and governed organizations

“For enterprises operating Azure at scale, onboarding and governance must be frictionless. With Azure Organization Integration, we’re giving customers complete visibility, backup, and IaC governance across every subscription in just one step"

Ori Yemini

CTO, ControlMonkey

ControlMonkey for Cloud Governance 

By extending our multi-cloud enterprise capabilities, Azure Integration ensures teams:

• Gain visibility across all Azure subscriptions without manual setup
• Reduce risk with governed, consistent controls across accounts
• Strengthen IaC adoption and compliance at enterprise scale
• Confidently operate in regulated environments with full coverage

Ready to take control?

Explore Azure Organization today and bring order to your multi-subscription cloud – Lean More in our Product Showdown Next Week.

Today, ControlMonkey is proud to announce the launch of the IaC Risk Index. The IaC Risk Index is a new part of the IaC Platform that transforms the dialogue surrounding cloud security between DevOps and Security teams by highlighting the security discrepancies between infrastructure deployment and cloud-related risks. It provides a comprehensive perspective that correlates Terraform coverage with security vulnerabilities, enabling teams to identify weaknesses, comprehend their origins, and implement measures for remediation.

Introducing the IaC Risk Index

The IaC Risk Index enhances cloud security by providing clarity and control in five key aspects:

IaC-Aware Risk Scoring

A color-coded benchmark that helps teams assess risk posture by environment. In production, green is the goal—anything less is exposure:

• 🔴 Red (<50% coverage): High risk. Most infrastructure is unmanaged.
• 🟠 Orange (50–80%): Medium risk. Some governance, but critical gaps remain.
• 🟡 Yellow (80–90%): Low risk. Strong coverage, not yet complete.
• 🟢 Green (90–100%): Full control. Infrastructure is governed by code, policy, and pipeline.

Vulnerability Mapping by Delivery Method

See whether a vulnerable resource was created manually, drifted from code, or fully governed:

• Unmanaged: ControlMonkey imports the resource into Terraform, remediates with a secure-by-default fix, and enforces governance policies.
• Managed but Drifted: Drift is resolved first, then an IaC-based security patch is applied with proactive policies.
• Managed and In-Sync: ControlMonkey patches directly in Terraform and ensures compliance is maintained.

Coverage Gap Detection

Instantly identify which resources fall outside Terraform governance—and why.

One-Click Remediation

Import unmanaged resources, generate compliant code, and resolve risk at the source.

Shared Dashboard for Cloud & Security

Align both teams around a single, real-time view of infrastructure coverage and risk exposure.

What’s behind IaC Risk Index

“We found that unmanaged infrastructure—resources not governed by Terraform or delivered through a secure pipeline – carry up to 2x the security risk of governed resources,” said Aharon Twizer, CEO and co-founder of ControlMonkey.

“And yet, most enterprises can’t answer a basic question: What percentage of our infrastructure is governed by code? Our research shows actual coverage is typically 30–40% lower than teams assume—highlighting significant hidden risk.”

IaC Risk Index from a CISO Perspective

“More IaC coverage means fewer security issues – period,” said ,Rapyd CISO, Nir Rothenberg”. What stood out with ControlMonkey was how easy it became to do things the right, modern way. When infrastructure and security teams can finally collaborate by design, that’s when security actually works.”

Nir Rothenberg

CISO at Rapyd about the new security release of ControlMonkey

What’s in It for Me? Why look into Cloud Risk Now?

The IaC Risk Index empowers cloud and security leaders to:

1. Improve visibility into unmanaged or drifted infrastructure
2. Reduce risk by exposing vulnerabilities at their origin – delivery
3. Strengthen IaC alignment with secure-by-default remediation
4. Scale confidently with a governance model that’s measurable and proactive

Explore the IaC Risk today

The IaC Risk Index is available now to all ControlMonkey customers at no additional cost.
New to ControlMonkey? Access a IaC Risk Assessment as part of our onboarding and discovery process.  Learn more and request a meeting

Cloud Infrastructure changes happen fast. With ControlMonkey you already get alerts in Slack or Teams — but sometimes, email just makes more sense. Now you can get ControlMonkey notifications in your inbox too.

Introducing Email Notifications in ControlMonkey

You can now receive ControlMonkey alerts via email — giving your teams more flexibility in how and where they stay informed.

• Get notified when drift and ClickOps are detected, a plan starts, or a deploy completes
• Route alerts to individual users or shared team inboxes (e.g., [email protected])
• Use email alongside Slack or Teams for layered visibility
• Configure per namespace (e.g. project) for clear audience

Stay Ahead with Cloud Governance and Infrastructure Control

This small update allows DevOps and SRE teams the flexibility to receive notifications across various platforms, rather than being confined to just one channel. It supports stronger governance, faster response, and better alignment with incident workflows and team preferences.

Whether you’re monitoring Terraform plans, managing approvals, or tracking production changes – ControlMonkey ensures you’re always informed 

Modern DevOps teams rely on Terraform and Terraform modules. Using Terraform modules is a best practice for making sure your entire organization is following your security & compliance controls. By using modules you create pre-defined, compliant blueprints of what good infrastructure looks like. Many of our customers have a problem. How can we ensure that everyone in the organization uses our modules? How Terraform provisioning can be easy?  What if an engineer uses a “Plain” Terraform resource instead of the module we created for it?

Sadly when engineers bypass the agreed modules and use raw cloud resources it breaks the governance of the cloud teams.. That’s why ControlMonkey now enforces Module-Only Resource Provisioning, ensuring every infrastructure component is created through your approved Terraform modules, not improvised code.

Introducing: Enforce Module-Only Resource Provisioning

Let’s take a real example. You’ve built a secure internal module that provisions an AWS S3 bucket—or maybe an Azure Storage Account. You’ve tested it, tagged it, locked in the right enforcements. But someone on the team skips the module and spins up a bucket with raw Terraform code or an external template.

Now you’ve got untagged resources, inconsistent naming, or worse—security gaps.

With our latest control policy – you can stop this before it happens. You could see how teams can provision resources with Terraform, giving you full confidence in your IaC standards

• Enforce resource creation only via approved Terraform modules
• Catch module violations at PR time or through ongoing scans
• Prevent unauthorized use of raw resource blocks or external modules
• Strengthen cost tagging, security, and compliance through IaC
• Eliminate configuration drift caused by inconsistent provisioning practices

Stay Ahead with Cloud Governance and Terraform Provisioning

Writing good Terraform modules is one thing, but enforcing using them across the organization is a whole different ball game.
With the right policies in place and a robust centralized automation – you can do it.

With ControlMonkey you enforce how YOUR infrastructure is provisioned—from the first line of code.

Explore Module-Only Resource Provisioning in ControlMonkey today.

Frequently Asked Questions About Terraform Provisioning

Terraform Modules  are a great way to reduce the amount of code engineers write for similar infrastructure resources and are considered an efficient way to replicate cloud services across environments.

An essential aspect of using modules is versioning, which enables cloud teams to systematically release module upgrades. This ensures the use of a more secure and compliant infrastructure by keeping the modules up-to-date.

However, controlling strictly which Module versions and sources engineers are allowed to use becomes a massive challenge at scale.
An everyday use case is if, for example, I upgrade a few of my Terraform Modules with extra security measures and want to ensure that engineers are using the latest version.

To tackle this challenge, we proudly announce the latest enhancement to our Terraform CI/CD engine, Terraform Modules – Restrict Versions control policies.

ControlMonkey users can now easily create Control Policies that allow or restrict Terraform Modules Sources or Versions as part of the Infrastructure CI/CD.

Terraform Modules – Restrict Versions consists of 3 types of policies:

Terraform Allowed Module Sources Policy

This policy enforces that all the Terraform Modules used in the code reside in a pre-approved Registry or an organization’s GitHub repo.

Terraform Restricted Module Versions Policy

This policy enforces the Terraform Modules versions that can be used in the code.
The value can be a specific version, a range of versions, or from a particular version and above.

Terraform Denied Modules Policy

This policy ensures that Terraform Modules from unauthorized sources are not used.
For instance, if there is a folder in your Git repository containing legacy modules that should not be used, you can designate these as ‘Denied.’ This provides immediate feedback to all users, preventing accidental usage

Summary

In case one of these policies is violated, ControlMonkey will warn the user who issues a PR that either their Terraform Module version is outdated, the Terraform Module path they are trying to use is restricted, or the specific Terraform Module they wish to use is restricted.

Managing and Governing Terraform Modules at scale is a massive challenge for infrastructure teams and, in some instances, poses a risk to the organization.
With ControlMonkey, you can create policies that strengthen your control over Terraform Modules and ensure they remain an efficiency driver rather than an operational burden with just a few clicks.

Are you looking for the best way to stay on top of your Terraform Modules?
Our Terraform experts can’t wait to show you around .

We are excited to announce another milestone in our multi-cloud support, with a major enhancement to our Terraform CI/CD solution.
Starting today, ControlMonkey’s Managed Security Policies are also available for Azure Cloud!

These Security Policies are predefined, managed, and maintained by ControlMonkey.
Rather than writing and maintaining common security policies with OPA, you get managed security policies that are enforced whenever someone changes your Terraform code right out of the box.

Cloud Engineering teams can granularly select which unit of deployment the Security Policy will be enforced and the enforcement level (warning or block).
So, if you need to separate and divide your policy enforcement across environments, you can easily do that with ControlMonkey.

The benefits of Managed Security Policies:

• You get a library of pre-defined security policies straight out of the box.
• Save time on writing, managing, and maintaining these policies.
  ControlMonkey does all the heavy lifting for you.
• By shifting left your security, you are:
  • Preventing security issues before they reach production
  • Saving time on manual code review.
  • Enable a proactive operations mode Vs. reacting to security misconfigurations.
  • Educating Cloud Engineering teams on the organization’s security standards.

If you’re using Azure today and looking to turn on your proactive mode, let’s talk.

We are pleased to announce the latest enhancement to our Terraform CI/CD solution for infrastructure – ControlPolicy Groups.

Our Terraform CI/CD solution for infrastructure enables ControlMonkey users to define proactive policies that will be enforced at the Pull Request level and prevent security, cost, and compliance misconfigurations.
Starting today, our users can group together control policies and apply them to specific environments by namespaces or stacks.

This allows for custom-made policy packages that meet your organization’s guardrails. For example, if your organization requires each resource to be tagged with specific keys and all data volumes to be encrypted, you can now group these two policies together to create your own custom compliance.
You can enforce these groups on a specific ControlMonkey namespace or stack, providing the granularity you need.

Your development environment has its own requirements, while your production environment likely requires more rigid policies to be enforced. Unlike account-level policy mechanisms (e.g., AWS SecurityHub), with ControlMonkey policies, you can mix and match the appropriate policies for the relevant infrastructure stacks

You can select the severity level for each policy, which is then translated to an enforcement level (Warning, Hard/Soft Mandatory).

ControlMonkey also makes it super easy to granularly apply a policy group to a certain namespace or stack. For example, you can group together all of your SOC2 compliance policies and enforce those policies only in production environments that are required to be SOC-compliant.

Enforce the guardrails of your cloud environment with our out-of-the-box policy manager and prevent costly misconfigurations.