Compliance at scale: Hardened Terraform modules at Morgan Stanley

Morgan Stanley has freed up its cloud service developers by building automated cloud security controls by default using Terraform and Sentinel.

Brett Tegart and Itay Cohai recount how their team at Morgan Stanley implemented secure Terraform modules that enforce cloud security controls by default, allowing free development of cloud service provider accounts and resources without requiring additional security review. Sentinel policy as code was also important. They wrote policies that blocked direct creation of Terraform resources, limiting users to the secure modules that derive values from the Terraform or CSP environment instead of allowing user input.