infra-security-review
maintained by majesticlabs-dev
star
20
account_tree
3
verified_user
MIT License
name: infra-security-review description: Security patterns and checklists for reviewing Infrastructure-as-Code. Covers Terraform/OpenTofu state, secrets, network, compute, database, and storage security.
Infrastructure Security Review Patterns
Security checklists and grep patterns for reviewing IaC code. Use these patterns when verifying infrastructure security.
Security Checklists
State Backend Security
| Check | Severity | Pattern |
|---|---|---|
| S3 bucket without encryption | Critical | encrypt = false or missing |
| Missing state locking | High | No DynamoDB table configured |
| Public bucket policy | Critical | block_public_* not all true |
| Missing versioning | Medium | versioning not enabled |
Secret Exposure
| Check | Severity | Pattern |
|---|---|---|
| Hardcoded AWS keys | Critical | AKIA[0-9A-Z]{16} |
| Hardcoded passwords | Critical | password\s*=\s*"[^"]+[^}]" |
| Database credentials in code | Critical | DATABASE_URL with password |
| API keys in variables | High | api_key, secret_key defaults |
Network Security
| Check | Severity | Pattern |
|---|---|---|
| SSH open to world | Critical | 0.0.0.0/0 on port 22 |
| Database publicly accessible | Critical | Missing private_network_uuid |
| Wide CIDR ranges | Medium | /8, /16 on public resources |
| Missing firewall | High | Droplet without firewall resource |
Compute Security
| Check | Severity | Pattern |
|---|---|---|
| Root login enabled | High | PermitRootLogin yes in cloud-init |
| Password auth enabled | Medium | PasswordAuthentication yes |
| Missing SSH hardening | Low | No ClientAliveInterval config |
| No monitoring | Low | monitoring = false |
Database Security
| Check | Severity | Pattern |
|---|---|---|
| Public database access | Critical | No database firewall rules |
| No VPC attachment | High | Missing private_network_uuid |
| Weak version | Medium | Old database engine versions |
| Single node for production | Low | node_count = 1 in prod |
Storage Security
| Check | Severity | Pattern |
|---|---|---|
| Public S3 buckets | Critical | acl = "public-read" |
| Missing encryption | High | No SSE configuration |
| No access logging | Medium | Missing access log bucket |
Grep Patterns
# Hardcoded secrets
grep -rE 'AKIA[0-9A-Z]{16}' *.tf
grep -rE 'password\s*=\s*"[^$\{][^"]*"' *.tf
grep -rE 'secret.*=\s*"[^$\{][^"]*"' *.tf
grep -rE 'api_key\s*=\s*"' *.tf
# Network exposure
grep -rE '0\.0\.0\.0/0.*22' *.tf
grep -rE 'cidr_blocks.*0\.0\.0\.0/0' *.tf
grep -rE 'publicly_accessible\s*=\s*true' *.tf
# State security
grep -rE 'encrypt\s*=\s*false' *.tf
grep -rE 'block_public_acls\s*=\s*false' *.tf
# Cloud-init issues
grep -rE 'PermitRootLogin\s+yes' *.tf *.yaml
grep -rE 'PasswordAuthentication\s+yes' *.tf *.yaml
Report Template
# Infrastructure Security Review
**Repository:** [name]
**Date:** [date]
**Files Reviewed:** [count]
## Summary
| Severity | Count |
|----------|-------|
| Critical | X |
| High | X |
| Medium | X |
| Low | X |
## Findings
### [SEVERITY-001] Title
**File:** `path/to/file.tf:line`
**Resource:** `resource_type.name`
**Issue:**
Description of the security issue.
**Current:**
```hcl
[current code]
Remediation:
[fixed code]
Compliance Notes
- State encryption enabled (SOC 2)
- No hardcoded credentials (PCI-DSS)
- Network segmentation in place (HIPAA)
- Access logging enabled (all frameworks)
## Severity Guide
| Severity | Definition | Action |
|----------|------------|--------|
| Critical | Direct security exposure, data breach risk | Block deployment |
| High | Significant risk, exploitable weakness | Fix before production |
| Medium | Best practice violation, indirect risk | Fix within 30 days |
| Low | Minor hardening opportunity | Address when convenient |
chat Comments (0)
Sign in to join the discussion and leave a comment.
Skill Details
GitHub Stars
20
GitHub Forks
3
Created
Jan 2026
Last Updated
il y a 5 mois
tools
tools system admin
Related Skills
Build your own?
Join 12,000+ developers contributing to the Claude ecosystem.
No comments yet. Be the first to share your thoughts!