Home > DevSecOps

Terraform Security Scanning

Terraform security scanning identifies misconfigurations, insecure defaults, dangerous IAM roles, exposed network resources, unencrypted storage, weak access controls, and unsafe cloud architecture before infrastructure is deployed. Terraform defines your cloud environment, so scanning it early prevents vulnerabilities from entering AWS, Azure, or GCP. IaC scanning is a core DevSecOps practice ensuring that infrastructure is built securely by design.

Why Terraform Security Scanning Matters

Terraform describes everything in code—networks, databases, IAM roles, instances, containers, and storage. A single misconfiguration can expose an entire cloud environment. Common Terraform risks include:

• Public S3 buckets
• Security groups allowing 0.0.0.0/0
• IAM roles with excessive permissions
• Unencrypted RDS or EBS volumes
• Disabled logging for CloudTrail or VPC Flow Logs
• Publicly exposed VMs
• Unrestricted Kubernetes clusters
• Open API Gateways
• Missing KMS encryption

Terraform scanning prevents insecure cloud deployments before they ever reach production.

Core Tools for Terraform Security Scanning

Checkov

Scans Terraform, Kubernetes, CloudFormation, ARM, Helm, Dockerfile.

Terrascan

Deep cloud IaC scanning with policy-as-code (OPA Rego).

Tfsec

Fast Terraform security analysis focusing on common misconfigurations.

Trivy Config

Scans IaC including Terraform for security risks.

KICS

Detects vulnerabilities and misconfigurations in Terraform and other IaC tools.

Using multiple scanners increases coverage and accuracy.

How Terraform Scanning Works

Step 1: Parse Terraform Files

Scanner reads .tf files and builds resource graph.

Step 2: Identify Resources and Attributes

Finds:

• aws_s3_bucket
• aws_security_group
• aws_iam_role
• aws_db_instance
• azurerm_storage_account
• google_compute_instance

Step 3: Evaluate Against Security Policies

Policies check for:

• public access
• missing encryption
• overly broad permissions
• unrestricted network rules
• missing logs
• insecure KMS usage

Step 4: Generate Report

Scanner categorizes findings:

• Critical
• High
• Medium
• Low

Each finding includes file, line number, resource, and recommended fix.

Installing Terraform Scanners

Checkov

pip install checkov

Terrascan

curl -L https://runterrascan.io/install.sh | bash

Tfsec

curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash

Trivy

sudo apt install trivy

Scanning Terraform With Checkov

Scan entire directory:

checkov -d .

Scan single file:

checkov -f main.tf

Output includes:

• resource
• issue severity
• rule ID
• fix guidance

Scanning Terraform With Tfsec

tfsec .

Tfsec highlights:

• public security groups
• missing encryption
• weak IAM roles
• privileged configurations

Scanning With Terrascan

terrascan scan -d .

Terrascan uses OPA policies for deep analysis.

Scanning IaC With Trivy

trivy config .

Trivy detects:

• misconfigs
• secrets
• insecure defaults

Common Terraform Misconfigurations Detected

Insecure S3 Bucket

public = true

Scanner flags missing block public access.

Open Security Groups

cidr_blocks = ["0.0.0.0/0"]

Critical severity.

Missing Encryption

encrypted = false

Detected on:

• RDS
• EBS
• S3
• SQS
• Lambda
• Secrets Manager

Weak IAM Policies

actions = ["*"]
resources = ["*"]

Over-permissioned roles.

Missing Logs

CloudTrail, VPC Flow Logs, or GKE audit logs disabled.

Public Cloud Resources

• public IP
• public load balancers
• public databases

Missing MFA or Key Rotation

IAM users without proper password policies.

Scanners catch these instantly.

Terraform Security Best Practices

• Always scan Terraform before commit
• Run scanning in CI pipelines
• Use policy-as-code for governance
• Enforce encryption everywhere
• Never allow 0.0.0.0/0 without justification
• Restrict IAM permissions with least privilege
• Validate S3 public access policies
• Enable logs and monitoring
• Use KMS keys for sensitive resources
• Use Terraform modules with secure defaults

Full-Length Practical Section

Deep hands-on practicals to master Terraform security scanning.

Practical 1: Scan Terraform Directory With Checkov

Create insecure Terraform:

resource "aws_s3_bucket" "bad" {
  bucket = "my-bucket"
  acl    = "public-read"
}

Run:

checkov -d .

Fix by blocking public access.

Practical 2: Detect Open Security Groups With Tfsec

Insecure:

cidr_blocks = ["0.0.0.0/0"]

Scan:

tfsec .

Fix by limiting CIDR.

Practical 3: Scan IAM Policy Misconfiguration

resource "aws_iam_role_policy" "bad" {
  policy = <<EOF
{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}
EOF
}

Scan and fix with least privilege.

Practical 4: Terrascan Deep Scan

terrascan scan -d .

Fix flagged issues in security groups, IAM, S3, etc.

Practical 5: Scan Terraform for Secrets

Add accidental secret:

variable "db_password" {
  default = "admin123"
}

Run:

trivy config .

Fix by using secret manager.

Practical 6: Check Encryption for RDS

Example insecure:

storage_encrypted = false

Scanner identifies missing encryption.

Practical 7: Audit Kubernetes Terraform Modules

checkov -d k8s/

Find missing securityContext and network policies.

Practical 8: Scan Terraform in GitHub Actions

Create workflow:

- name: Terraform Security Scan
  uses: bridgecrewio/checkov-action@master
  with:
    directory: .

Pipelines fail on high issues.

Practical 9: GitLab CI Terraform Scan

tf_scan:
  script:
    - checkov -d .

Critical findings block merge.

Practical 10: Build Policy-as-Code With OPA (Terrascan)

Define rule:

deny[msg] {
  input.resource.aws_iam_role_policy.policy.Statement.Action == "*"
  msg = "Wildcard IAM permissions not allowed"
}

Run:

terrascan scan -d .

Practical 11: Detect Public EC2 Instances

associate_public_ip_address = true

Scan detects public exposure.

Practical 12: Validate KMS Key Usage

Ensure encryption:

kms_key_id = aws_kms_key.default.arn

Scanner warns if missing.

Practical 13: Create Terraform Baseline

Initial scan:

checkov -d . --output json > baseline.json

Track improvements over time.

Practical 14: Test Multi-Environment IaC

Scan:

• dev
• staging
• production

Compare deviations.

Practical 15: Identify Misconfigured Load Balancers

Missing HTTPS listeners or TLS policies flagged by checkers.

Practical 16: Detect Misconfigured API Gateway

Public endpoint without authorization triggers critical alert.

Practical 17: Auto-Remediation Suggestions

Checkov provides inline remediation:

Fix IAM, encryption, S3, logging, etc.

Practical 18: Scan Terraform Plans

terraform plan -out=tfplan
checkov -f tfplan

Scan changes before apply.

Practical 19: Combine Multiple Scanners

checkov -d .
tfsec .
terrascan scan -d .

Compare all findings.

Practical 20: Build Full Terraform Security Architecture

Include:

• Checkov for deep scans
• Terrascan for policy governance
• Tfsec for fast checks
• Trivy for secret detection
• Pre-commit scanning
• CI/CD enforcement
• OPA policies
• Baseline drift detection
• Centralized reporting

This architecture ensures all IaC is validated before deployment.

Intel Dump

• Terraform scanning prevents insecure cloud deployments
• Tools: Checkov, Terrascan, Tfsec, Trivy, KICS
• Detect misconfigs in IAM, networking, S3, databases, encryption, logging
• Must scan locally, in CI, and before terraform apply
• Practicals include full scanning, IAM fixes, encryption checks, OPA policies, CI pipelines, baseline creation, and complete Terraform security architecture

HOME LEARN COMMUNITY DASHBOARD