A collection of security and best practice tests for static code analysis of terraform templates using terraform_validate.
- GitHub Repo: https://github.com/cesar-rodriguez/terrascan
- Documentation: https://terrascan.readthedocs.io.
- Free software: GNU General Public License v3
Terrascan will perform tests on your terraform templates to ensure:
- Encryption
- Server Side Encryption (SSE) enabled
- Use of AWS Key Management Service (KMS) with Customer Managed Keys (CMK)
- Use of SSL/TLS and proper configuration
- Security Groups
- Provisioning SGs in EC2-classic
- Ingress open to 0.0.0.0/0
- Public Exposure
- Services with public exposure other than Gateways (NAT, VGW, IGW)
- Logging & Monitoring
- Access logs enabled to resources that support it
Terrascan uses Python and depends on terraform-validate and pyhcl. After installing python in your system you can follow these steps:
$ pip install terrascan
To run execute terrascan.py as follows replacing with the location of your terraform templates:
$ terrascan --location tests/infrastructure/success --tests all
To run a specific test run the following command replacing encryption with the name of the test to run:
$ terrascan --location tests/infrastructure/success --tests encryption
To learn more about the options to the cli execute the following:
$ terrascan -h
- Legend:
- ➖ = test needs to be implemented
- ✔️ = test implemented
- blank - N/A
| Terraform resources | Encryption | Security Groups | Public exposure | Logging & Monitoring |
|---|---|---|---|---|
| aws_alb | ✔️ | ✔️ | ||
| aws_alb_listener | ✔️ | |||
| aws_ami | ✔️ | |||
| aws_ami_copy | ✔️ | |||
| aws_api_gateway_domain_name | ✔️ | |||
| aws_cloudfront_distribution | ✔️ | ✔️ | ||
| aws_cloudtrail | ✔️ | ✔️ | ||
| aws_codebuild_project | ✔️ | |||
| aws_codepipeline | ✔️ | |||
| aws_db_instance | ✔️ | ✔️ | ||
| aws_db_security_group | ✔️ | |||
| aws_dms_endpoint | ✔️ | |||
| aws_dms_replication_instance | ✔️ | ✔️ | ||
| aws_ebs_volume | ✔️ | |||
| aws_efs_file_system | ✔️ | |||
| aws_elasticache_security_group | ✔️ | |||
| aws_efs_file_system | ✔️ | |||
| aws_elasticache_security_group | ✔️ | |||
| aws_elastictranscoder_pipeline | ✔️ | |||
| aws_elb | ✔️ | ✔️ | ✔️ | |
| aws_emr_cluster | ✔️ | |||
| aws_instance | ✔️ | ✔️ | ||
| aws_kinesis_firehose_delivery_stream | ✔️ | ✔️ | ||
| aws_lambda_function | ✔️ | |||
| aws_launch_configuration | ✔️ | |||
| aws_lb_ssl_negotiation_policy | ➖ | |||
| aws_load_balancer_backend_server_policy | ➖ | |||
| aws_load_balancer_listener_policy | ➖ | |||
| aws_load_balancer_policy | ➖ | |||
| aws_opsworks_application | ✔️ | ➖ | ||
| aws_opsworks_custom_layer | ➖ | |||
| aws_opsworks_ganglia_layer | ➖ | |||
| aws_opsworks_haproxy_layer | ➖ | |||
| aws_opsworks_instance | ➖ | |||
| aws_opsworks_java_app_layer | ➖ | |||
| aws_opsworks_memcached_layer | ➖ | |||
| aws_opsworks_mysql_layer | ➖ | |||
| aws_opsworks_nodejs_app_layer | ➖ | |||
| aws_opsworks_php_app_layer | ➖ | |||
| aws_opsworks_rails_app_layer | ➖ | |||
| aws_opsworks_static_web_layer | ➖ | |||
| aws_rds_cluster | ✔️ | |||
| aws_rds_cluster_instance | ✔️ | |||
| aws_redshift_cluster | ✔️ | ✔️ | ✔️ | |
| aws_redshift_parameter_group | ➖ | ➖ | ||
| aws_redshift_security_group | ✔️ | |||
| aws_s3_bucket | ✔️ | ✔️ | ||
| aws_s3_bucket_object | ✔️ | |||
| aws_security_group | ✔️ | |||
| aws_security_group_rule | ✔️ | |||
| aws_ses_receipt_rule | ➖ | |||
| aws_sqs_queue | ✔️ | |||
| aws_ssm_maintenance_window_task | ✔️ | |||
| aws_ssm_parameter | ✔️ |