Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults before cloud deployment.
Do not use for runtime security monitoring (use CSPM tools), for application security testing (use SAST/DAST tools), or for cloud configuration drift detection (use AWS Config or Azure Policy after deployment).
pip install checkov)brew install tfsec or binary from GitHub)brew install terrascan)Run Checkov for comprehensive IaC security scanning with built-in and custom policies.
# Scan a Terraform directory
checkov -d ./terraform/ --framework terraform
# Scan with specific check categories
checkov -d ./terraform/ --check CKV_AWS_18,CKV_AWS_19,CKV_AWS_20,CKV_AWS_21
# Scan and output results in JSON
checkov -d ./terraform/ --output json > checkov-results.json
# Scan a Terraform plan file for more accurate analysis
terraform init && terraform plan -out=tfplan
terraform show -json tfplan > tfplan.json
checkov -f tfplan.json --framework terraform_plan
# Skip specific checks with justification
checkov -d ./terraform/ --skip-check CKV_AWS_145 \
--bc-api-key $BRIDGECREW_API_KEY
# Scan Terraform modules
checkov -d ./modules/ --framework terraform --compact
# List all available checks
checkov --list --framework terraform | grep CKV_AWS
Use tfsec for Terraform-native security analysis with detailed remediation guidance.
# Scan a Terraform directory
tfsec ./terraform/
# Scan with minimum severity threshold
tfsec ./terraform/ --minimum-severity HIGH
# Output in JSON for CI/CD processing
tfsec ./terraform/ --format json > tfsec-results.json
# Scan with custom checks
tfsec ./terraform/ --custom-check-dir ./custom-checks/
# Exclude specific rules
tfsec ./terraform/ --exclude-downloaded-modules \
--exclude aws-s3-enable-bucket-logging
# Scan and fail on specific severity
tfsec ./terraform/ --minimum-severity CRITICAL --soft-fail
# Generate SARIF output for GitHub Security tab
tfsec ./terraform/ --format sarif > tfsec.sarif
Execute Terrascan for compliance checking against CIS, NIST, and SOC 2 frameworks.
# Scan Terraform against CIS AWS benchmark
terrascan scan -t aws -i terraform -d ./terraform/ \
--policy-type aws --verbose
# Scan against specific compliance frameworks
terrascan scan -t aws -i terraform -d ./terraform/ \
--policy-type aws \
--categories "Compliance Validation"
# Output in JSON
terrascan scan -t aws -i terraform -d ./terraform/ \
--output json > terrascan-results.json
# Scan a Terraform plan
terrascan scan -t aws -i terraform \
--iac-file tfplan.json \
--iac-type tfplan
# List available policies
terrascan scan --list-policies -t aws
Write Rego policies for organization-specific security requirements.
# policy/aws_s3_encryption.rego
package terraform.aws.s3
deny[msg] {
resource := input.resource.aws_s3_bucket[name]
not resource.server_side_encryption_configuration
msg := sprintf("S3 bucket '%s' must have server-side encryption enabled", [name])
}
# policy/aws_iam_no_wildcards.rego
package terraform.aws.iam
deny[msg] {
resource := input.resource.aws_iam_policy[name]
statement := resource.policy.Statement[_]
statement.Action == "*"
statement.Effect == "Allow"
msg := sprintf("IAM policy '%s' must not use wildcard (*) actions", [name])
}
deny[msg] {
resource := input.resource.aws_iam_policy[name]
statement := resource.policy.Statement[_]
statement.Resource == "*"
statement.Effect == "Allow"
contains(statement.Action[_], "*")
msg := sprintf("IAM policy '%s' has overly permissive actions on wildcard resources", [name])
}
# policy/aws_no_public_ingress.rego
package terraform.aws.security_group
deny[msg] {
resource := input.resource.aws_security_group_rule[name]
resource.type == "ingress"
resource.cidr_blocks[_] == "0.0.0.0/0"
resource.from_port <= 22
resource.to_port >= 22
msg := sprintf("Security group rule '%s' allows SSH from 0.0.0.0/0", [name])
}
# Evaluate Terraform plan against OPA policies
terraform show -json tfplan | opa eval \
--data ./policy/ \
--input /dev/stdin \
"data.terraform.aws" \
--format pretty
# Run Conftest for easier OPA policy testing
conftest test tfplan.json --policy ./policy/ --output json
Add IaC security scanning as a mandatory CI/CD gate.
# GitHub Actions: Terraform security pipeline