Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools, allowing the community to conveniently manage and configure cloud infrastructure using scripts. However, the scripting process itself does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks. As a result, ensuring security relies on practitioners understanding and the adoption of explicit policies, guidelines, or best practices. In order to understand how practitioners deal with this problem, in this work, we perform an empirical study analyzing the adoption of IaC scripted security best practices. First, we select and categorize widely recognized Terraform security practices promulgated in the industry for popular cloud providers such as AWS, Azure, and Google Cloud. Next, we assess the adoption of these practices by each cloud provider, analyzing a sample of 812 open-source projects hosted on GitHub. For that, we scan each project configuration files, looking for policy implementation through static analysis (checkov). Additionally, we investigate GitHub measures that might be correlated with adopting these best practices. The category Access policy emerges as the most widely adopted in all providers, while Encryption in rest are the most neglected policies. Regarding GitHub measures correlated with best practice adoption, we observe a positive, strong correlation between a repository number of stars and adopting practices in its cloud infrastructure. Based on our findings, we provide guidelines for cloud practitioners to limit infrastructure vulnerability and discuss further aspects associated with policies that have yet to be extensively embraced within the industry.

翻译：云计算因其基础设施即代码（IaC）工具的广泛应用而变得普及，使得社区能够通过脚本便捷地管理和配置云基础设施。然而，脚本编写过程本身并不能自动防止开发者引入配置错误、漏洞或隐私风险。因此，确保安全依赖于开发者对明确策略、指南或最佳实践的理解与采用。为了探究开发者如何处理这一问题，本研究进行了一项实证分析，探讨IaC脚本化安全最佳实践的采纳情况。首先，我们选取并分类了业界针对AWS、Azure和Google Cloud等主流云提供商广为认可的Terraform安全实践。接着，我们通过分析GitHub上812个开源项目的样本，评估了各云提供商对这些实践的采纳程度。为此，我们扫描每个项目的配置文件，通过静态分析（Checkov）检查策略实施情况。此外，我们还调查了可能与实践采纳相关的GitHub指标。在所有云提供商中，“访问策略”类别广泛实施，而“静态加密”则是最被忽视的策略。关于与最佳实践采纳相关的GitHub指标，我们发现仓库的星标数量与其云基础设施中实践的采纳之间存在显著正相关。基于研究结果，我们为云从业者提供了限制基础设施漏洞的指导方针，并讨论了行业中尚未广泛采纳的其它策略相关问题。