A collection of security and best practice tests for static code analysis of terraform templates using terraform_validate.

• GitHub Repo: https://github.com/cesar-rodriguez/terrascan
• Documentation: https://terrascan.readthedocs.io.
• Free software: GNU General Public License v3

Terrascan will perform tests on your terraform templates to ensure:

• Encryption

  • Server Side Encryption (SSE) enabled
  • Use of AWS Key Management Service (KMS) with Customer Managed Keys (CMK)
  • Use of SSL/TLS and proper configuration

• Security Groups

  • Provisioning SGs in EC2-classic
  • Ingress open to 0.0.0.0/0

• Public Exposure

  • Services with public exposure other than Gateways (NAT, VGW, IGW)

• Logging & Monitoring

  • Access logs enabled to resources that support it

Terrascan uses Python and depends on terraform-validate and pyhcl. After installing python in your system you can follow these steps:

$ pip install terrascan

To run execute terrascan.py as follows replacing with the location of your terraform templates:

$ terrascan --location tests/infrastructure/success --tests all

To run a specific test run the following command replacing encryption with the name of the test to run:

$ terrascan --location tests/infrastructure/success --tests encryption

To learn more about the options to the cli execute the following:

$ terrascan -h

Legend:

• ➖ = test needs to be implemented
• ✔️ = test implemented
• blank - N/A

======================================== ====================== ====================== ====================== ======================

Terraform resources Encryption Security Groups Public exposure Logging & Monitoring

======================================== ====================== ====================== ====================== ======================

aws_alb ✔️ ✔️ aws_alb_listener ✔️ aws_ami ✔️ aws_ami_copy ✔️ aws_api_gateway_domain_name ✔️ aws_cloudfront_distribution ✔️ ✔️ aws_cloudtrail ✔️ ✔️ aws_codebuild_project ✔️ aws_codepipeline ✔️ aws_db_instance ✔️ ✔️ aws_db_security_group ✔️ aws_dms_endpoint ✔️ aws_dms_replication_instance ✔️ ✔️ aws_ebs_volume ✔️ aws_efs_file_system ✔️ aws_elasticache_security_group ✔️ aws_efs_file_system ✔️ aws_elasticache_security_group ✔️ aws_elastictranscoder_pipeline ✔️ aws_elb ✔️ ✔️ ✔️ aws_emr_cluster ✔️ aws_instance ✔️ ✔️ aws_kinesis_firehose_delivery_stream ✔️ ✔️ aws_lambda_function ✔️ aws_launch_configuration ✔️ aws_lb_ssl_negotiation_policy ➖ aws_load_balancer_backend_server_policy ➖ aws_load_balancer_listener_policy ➖ aws_load_balancer_policy ➖ aws_opsworks_application ✔️ ➖ aws_opsworks_custom_layer ➖ aws_opsworks_ganglia_layer ➖ aws_opsworks_haproxy_layer ➖ aws_opsworks_instance ➖ aws_opsworks_java_app_layer ➖ aws_opsworks_memcached_layer ➖ aws_opsworks_mysql_layer ➖ aws_opsworks_nodejs_app_layer ➖ aws_opsworks_php_app_layer ➖ aws_opsworks_rails_app_layer ➖ aws_opsworks_static_web_layer ➖ aws_rds_cluster ✔️ aws_rds_cluster_instance ✔️ aws_redshift_cluster ✔️ ✔️ ✔️ aws_redshift_parameter_group ➖ ➖ aws_redshift_security_group ✔️ aws_s3_bucket ✔️ ✔️ aws_s3_bucket_object ✔️ aws_security_group ✔️ aws_security_group_rule ✔️ aws_ses_receipt_rule ➖ aws_sqs_queue ✔️ aws_ssm_maintenance_window_task ✔️ aws_ssm_parameter ✔️

======================================== ====================== ====================== ====================== ======================