Skip to main content
Application Security Standards
Category: Cloud Security

Immutable Infrastructure

Also known as: Immutable Server Model, Replace-Don't-Modify Infrastructure
Simply put

Immutable infrastructure is a model where servers and IT resources are never changed after they are deployed. When an update or fix is needed, a new server or resource is built from scratch and replaces the old one, rather than modifying the existing instance. This approach reduces the risk of inconsistent or unauthorized changes accumulating over time in production environments.

Formal definition

Immutable infrastructure is an operational model that prohibits in-place updates, configuration changes, or security patches to deployed production workloads. Instead, any change requires provisioning a new artifact or instance from a known-good baseline, typically built through a versioned, automated pipeline, and replacing the existing deployment. This model is intended to reduce configuration drift between instances, improve auditability of what is running in production, and limit the attack surface associated with ad-hoc modifications. The drift-prevention and integrity guarantees this model provides are conditional on enforcement controls that prevent privileged or compromised actors from modifying running instances outside the defined pipeline.

Why it matters

In traditional mutable infrastructure, servers accumulate changes over time through patches, configuration edits, and manual interventions. This accumulation, often called configuration drift, makes it difficult to know with confidence what is actually running in production. Immutable infrastructure is designed to address this problem by ensuring that every running instance traces back to a known, versioned baseline, which improves auditability and reduces the surface area for unauthorized or inconsistent modifications. These guarantees are conditional on enforcement controls that prevent privileged users or compromised processes from modifying instances outside the defined provisioning pipeline.

Who it's relevant to

Platform and Infrastructure Engineers
Platform and infrastructure engineers are responsible for designing and operating the provisioning pipelines and enforcement controls that make immutable infrastructure work in practice. They must ensure that production instances cannot be modified outside the defined pipeline, which typically involves restricting direct shell access and enforcing deployment gates.
Security and Compliance Teams
Security teams benefit from immutable infrastructure because it improves the auditability of production environments. When every running instance derives from a versioned, controlled baseline, it becomes easier to reason about what is deployed and to detect deviations. Compliance teams may find the model useful for demonstrating controlled change management, though they should verify that enforcement controls are in place rather than assuming immutability is self-enforcing.
DevOps and Site Reliability Engineers
DevOps and SRE practitioners working in cloud-native or containerized environments frequently implement immutable infrastructure patterns as part of continuous delivery workflows. The model aligns naturally with container orchestration and infrastructure-as-code tooling, where new images or instances are routinely built and replaced rather than modified in place.
Application Architects
Application architects designing systems for cloud or distributed environments should account for the immutable infrastructure model when making decisions about state management, configuration injection, and deployment strategies. Applications that rely on in-place configuration changes to running instances may require redesign to operate correctly under an immutable model.

Inside Immutable Infrastructure

Immutable Server Images
Pre-built, versioned artifacts (such as container images or virtual machine snapshots) that capture the complete runtime environment, application code, and configuration at build time. These images are deployed as-is and are not modified after creation.
Infrastructure-as-Code (IaC) Definitions
Declarative or procedural specifications that define the desired infrastructure state. These definitions are stored in version control and used to reproducibly generate immutable images and deployment environments.
Automated Build and Bake Pipelines
CI/CD pipeline stages responsible for assembling, hardening, and publishing new infrastructure images whenever a change is required. Changes to configuration or software trigger a new image build rather than in-place modification of running instances.
Replace-Rather-Than-Patch Deployment Model
An operational model in which updates, patches, or configuration changes are applied by retiring existing running instances and deploying new instances built from updated images, rather than applying changes to live systems.
Version-Controlled Artifacts
All images and their associated build inputs are stored with explicit version identifiers, enabling rollback, audit, and reproducibility of any previously deployed state.
Enforcement Controls
Technical and policy controls (such as read-only file systems, absence of SSH or remote shell access, and runtime policy enforcement) that restrict or prevent modification of running instances. The immutability guarantee is conditional on these controls being in place and enforced.

Common questions

Answers to the questions practitioners most commonly ask about Immutable Infrastructure.

Does immutable infrastructure completely eliminate configuration drift?
Not unconditionally. Immutable infrastructure is designed to prevent configuration drift by ensuring running instances are never modified in place, but the guarantee depends on enforcement controls being in place. Privileged or compromised actors can still modify a running instance if access controls do not prevent it. The model reduces drift significantly in typical operational conditions, but 'elimination' requires that mutation is technically blocked or that any out-of-band change triggers automated detection and remediation.
Does immutable infrastructure mean the application itself cannot have runtime vulnerabilities?
No. Immutable infrastructure addresses how instances are deployed and managed, not the security properties of the code or dependencies baked into the image. A vulnerability present in the application code or a bundled library at build time will be present in every deployed instance of that image. Immutable infrastructure may make patching more disciplined by requiring a new image build and redeployment, but it does not detect or prevent vulnerabilities that exist within the image itself.
How should secrets and configuration values be handled if the image is immutable?
Secrets and environment-specific configuration should not be baked into the image. Immutable images are typically built without embedded secrets. At runtime, secrets are injected through a secrets management system, environment variables supplied by the orchestration platform, or a dedicated secrets store such as a vault. This approach keeps the image portable across environments while ensuring sensitive values are not persisted in image layers or version control.
What happens when a vulnerability is discovered in a running immutable instance?
The standard remediation path is to build a new image with the vulnerability addressed, validate it through the pipeline, and redeploy, replacing the affected instances. Because in-place patching is not performed, the organization must have a functioning build and deployment pipeline capable of producing and promoting a patched image quickly. The speed of remediation therefore depends on pipeline maturity and the degree to which the build process is automated.
How does immutable infrastructure interact with software composition analysis or image scanning?
Image scanning and software composition analysis are typically applied during the build pipeline before an image is promoted to a registry or deployed. Because the image does not change after it is built, a scan result at build time reflects what will run in production, which makes scan findings more actionable than in mutable environments where installed packages may have changed since the last scan. However, newly disclosed vulnerabilities in already-deployed images will not be detected until the image is rescanned or a pipeline re-evaluation is triggered.
Does adopting immutable infrastructure require containerization?
No. Immutable infrastructure is a pattern that can be implemented with virtual machine images, container images, or other reproducible artifacts. Container-based workflows are a common implementation because container images align naturally with the build-once, deploy-many model, but the same principles apply to VM images built with tools that produce versioned, reproducible machine images. The core requirement is that the deployed artifact is not modified after it leaves the build process, regardless of the underlying technology.

Common misconceptions

Immutable infrastructure completely eliminates configuration drift without any additional controls.
Immutable infrastructure is designed to reduce configuration drift by preventing routine in-place changes, but the guarantee is conditional on enforcement controls being in place. Privileged or compromised actors may still be able to alter a running instance if those controls are absent or bypassed.
Immutable infrastructure means no patching is ever required.
Patching still occurs, but through a different mechanism. Instead of applying patches to live systems, a new image is built with the patch applied, and running instances are replaced with instances built from the updated image.
Any containerized workload is automatically immutable infrastructure.
Containers run from images do not inherently enforce immutability. Without additional controls such as read-only root file systems, restricted shell access, and policies preventing runtime modifications, running containers can still be altered in ways that undermine the immutability model.

Best practices

Store all infrastructure definitions and image build inputs in version control so that every deployed artifact can be traced back to a specific, auditable state.
Configure running instances with read-only file systems and remove or disable interactive remote access (such as SSH) where operationally feasible, to strengthen the enforcement controls that the immutability guarantee depends on.
Integrate image builds into automated CI/CD pipelines so that any required change, whether a software update, configuration adjustment, or security patch, triggers a new image build and a controlled replacement deployment rather than an in-place modification.
Apply runtime policy enforcement (such as container security policies or host-based integrity monitoring) to detect and alert on unauthorized modification attempts against running instances, acknowledging that enforcement controls can be circumvented by privileged or compromised actors.
Maintain prior image versions in artifact storage with clear version identifiers to support rollback to a known-good state when a newly deployed image introduces regressions or vulnerabilities.
Treat secrets and environment-specific configuration as external inputs injected at runtime through controlled mechanisms (such as secrets management services) rather than baked into images, to avoid embedding sensitive material in versioned artifacts.