Infrastructure Security Review Patterns
Security checklists and grep patterns for reviewing IaC code. Use these patterns when verifying infrastructure security.
Security Checklists
State Backend Security
| Check | Severity | Pattern |
|-------|----------|---------|
| S3 bucket without encryption | Critical | encrypt = false or missing |
| Missing state locking | High | No DynamoDB table configured |
| Public bucket policy | Critical | block_public_* not all true |
| Missing versioning | Medium | versioning not enabled |
Secret Exposure
| Check | Severity | Pattern |
|-------|----------|---------|
| Hardcoded AWS keys | Critical | AKIA[0-9A-Z]{16} |
| Hardcoded passwords | Critical | password\s*=\s*"[^"]+[^}]" |
| Database credentials in code | Critical | DATABASE_URL with password |
| API keys in variables | High | api_key, secret_key defaults |
Network Security
| Check | Severity | Pattern |
|-------|----------|---------|
| SSH open to world | Critical | 0.0.0.0/0 on port 22 |
| Database publicly accessible | Critical | Missing private_network_uuid |
| Wide CIDR ranges | Medium | /8, /16 on public resources |
| Missing firewall | High | Droplet without firewall resource |
Compute Security
| Check | Severity | Pattern |
|-------|----------|---------|
| Root login enabled | High | PermitRootLogin yes in cloud-init |
| Password auth enabled | Medium | PasswordAuthentication yes |
| Missing SSH hardening | Low | No ClientAliveInterval config |
| No monitoring | Low | monitoring = false |
Database Security
| Check | Severity | Pattern |
|-------|----------|---------|
| Public database access | Critical | No database firewall rules |
| No VPC attachment | High | Missing private_network_uuid |
| Weak version | Medium | Old database engine versions |
| Single node for production | Low | node_count = 1 in prod |
Storage Security
| Check | Severity | Pattern |
|-------|----------|---------|
| Public S3 buckets | Critical | acl = "public-read" |
| Missing encryption | High | No SSE configuration |
| No access logging | Medium | Missing access log bucket |
Grep Patterns
# Hardcoded secrets
grep -rE 'AKIA[0-9A-Z]{16}' *.tf
grep -rE 'password\s*=\s*"[^$\{][^"]*"' *.tf
grep -rE 'secret.*=\s*"[^$\{][^"]*"' *.tf
grep -rE 'api_key\s*=\s*"' *.tf
# Network exposure
grep -rE '0\.0\.0\.0/0.*22' *.tf
grep -rE 'cidr_blocks.*0\.0\.0\.0/0' *.tf
grep -rE 'publicly_accessible\s*=\s*true' *.tf
# State security
grep -rE 'encrypt\s*=\s*false' *.tf
grep -rE 'block_public_acls\s*=\s*false' *.tf
# Cloud-init issues
grep -rE 'PermitRootLogin\s+yes' *.tf *.yaml
grep -rE 'PasswordAuthentication\s+yes' *.tf *.yaml
Report Template
# Infrastructure Security Review
**Repository:** [name]
**Date:** [date]
**Files Reviewed:** [count]
## Summary
| Severity | Count |
|----------|-------|
| Critical | X |
| High | X |
| Medium | X |
| Low | X |
## Findings
### [SEVERITY-001] Title
**File:** `path/to/file.tf:line`
**Resource:** `resource_type.name`
**Issue:**
Description of the security issue.
**Current:**
```hcl
[current code]
Remediation:
[fixed code]
Compliance Notes
- [ ] State encryption enabled (SOC 2)
- [ ] No hardcoded credentials (PCI-DSS)
- [ ] Network segmentation in place (HIPAA)
- [ ] Access logging enabled (all frameworks)
## Severity Guide
| Severity | Definition | Action |
|----------|------------|--------|
| Critical | Direct security exposure, data breach risk | Block deployment |
| High | Significant risk, exploitable weakness | Fix before production |
| Medium | Best practice violation, indirect risk | Fix within 30 days |
| Low | Minor hardening opportunity | Address when convenient |