Infrastructure Security Review Patterns
Security checklists and grep patterns for reviewing IaC code. Use these patterns when verifying infrastructure security.
Security Checklists
State Backend Security
Check Severity Pattern
S3 bucket without encryption Critical encrypt = false or missing
Missing state locking High No DynamoDB table configured
Public bucket policy Critical block_public_* not all true
Missing versioning Medium versioning not enabled
Secret Exposure
Check Severity Pattern
Hardcoded AWS keys Critical AKIA[0-9A-Z]{16}
Hardcoded passwords Critical password\s*=\s*"[^"]+[^}]"
Database credentials in code Critical DATABASE_URL with password
API keys in variables High api_key , secret_key defaults
Network Security
Check Severity Pattern
SSH open to world Critical 0.0.0.0/0 on port 22
Database publicly accessible Critical Missing private_network_uuid
Wide CIDR ranges Medium /8 , /16 on public resources
Missing firewall High Droplet without firewall resource
Compute Security
Check Severity Pattern
Root login enabled High PermitRootLogin yes in cloud-init
Password auth enabled Medium PasswordAuthentication yes
Missing SSH hardening Low No ClientAliveInterval config
No monitoring Low monitoring = false
Database Security
Check Severity Pattern
Public database access Critical No database firewall rules
No VPC attachment High Missing private_network_uuid
Weak version Medium Old database engine versions
Single node for production Low node_count = 1 in prod
Storage Security
Check Severity Pattern
Public S3 buckets Critical acl = "public-read"
Missing encryption High No SSE configuration
No access logging Medium Missing access log bucket
Grep Patterns
Hardcoded secrets
grep -rE 'AKIA[0-9A-Z]{16}' .tf grep -rE 'password\s=\s*"[^${][^"]"' .tf grep -rE 'secret.=\s"[^${][^"]"' .tf grep -rE 'api_key\s=\s"' *.tf
Network exposure
grep -rE '0.0.0.0/0.*22' *.tf grep -rE 'cidr_blocks.0.0.0.0/0' .tf grep -rE 'publicly_accessible\s=\strue' *.tf
State security
grep -rE 'encrypt\s*=\sfalse' .tf grep -rE 'block_public_acls\s=\sfalse' *.tf
Cloud-init issues
grep -rE 'PermitRootLogin\s+yes' *.tf *.yaml grep -rE 'PasswordAuthentication\s+yes' *.tf *.yaml
Report Template
Infrastructure Security Review
Repository: [name] Date: [date] Files Reviewed: [count]
Summary
| Severity | Count |
|---|---|
| Critical | X |
| High | X |
| Medium | X |
| Low | X |
Findings
[SEVERITY-001] Title
File: path/to/file.tf:line
Resource: resource_type.name
Issue: Description of the security issue.
Current:
[current code]
Remediation:
[fixed code]
Compliance Notes
- State encryption enabled (SOC 2)
- No hardcoded credentials (PCI-DSS)
- Network segmentation in place (HIPAA)
- Access logging enabled (all frameworks)
## Severity Guide
| Severity | Definition | Action |
|----------|------------|--------|
| Critical | Direct security exposure, data breach risk | Block deployment |
| High | Significant risk, exploitable weakness | Fix before production |
| Medium | Best practice violation, indirect risk | Fix within 30 days |
| Low | Minor hardening opportunity | Address when convenient |