A recent study suggests that misconfiguration is the number one risk to cloud environments in 2021. With infrastructure-as-code (IaC), we have the opportunity to catch security issues within the CI/CD before they manifest themselves in the cloud. In this talk, we will dive into techniques for IaC threat modeling. This includes static and dynamic analyses that can prevent supply chain attacks due to overly permissive IAM roles, exposing sensitive data inadvertently, detect privilege escalation, drift, etc. We will also describe the various stages of implementing IaC security automation.