shell
A collection of security and best practice tests for static code analysis of terraform templates using terraform_validate.
- GitHub Repo: https://github.com/cesar-rodriguez/terrascan
- Documentation: https://terrascan.readthedocs.io.
- Free software: GNU General Public License v3
Terrascan will perform tests on your terraform templates to ensure:
- Encryption
- Server Side Encryption (SSE) enabled
- Use of AWS Key Management Service (KMS) with Customer Managed Keys (CMK)
- Use of SSL/TLS and proper configuration
- Security Groups
- Provisioning SGs in EC2-classic
- Ingress open to 0.0.0.0/0
- Public Exposure
- Services with public exposure other than Gateways (NAT, VGW, IGW)
- Logging & Monitoring
- Access logs enabled to resources that support it
Terrascan uses Python and depends on terraform-validate and pyhcl. After installing python in your system you can follow these steps:
$ pip install terrascan
To run execute terrascan.py as follows replacing with the location of your terraform templates:
$ terrascan --location tests/infrastructure/success --tests all
To run a specific test run the following command replacing encryption with the name of the test to run:
$ terrascan --location tests/infrastructure/success --tests encryption
To learn more about the options to the cli execute the following:
$ terrascan -h
- Legend:
- ➖ = test needs to be implemented
- ✔️ = test implemented
- blank - N/A
- ======================================== ====================== ====================== ====================== ======================
Terraform resources Encryption Security Groups Public exposure Logging & Monitoring
- ======================================== ====================== ====================== ====================== ======================
aws_alb ✔️ ✔️ aws_alb_listener ✔️ aws_ami ✔️ aws_ami_copy ✔️ aws_api_gateway_domain_name ✔️ aws_cloudfront_distribution ✔️ ✔️ aws_cloudtrail ✔️ ✔️ aws_codebuild_project ✔️ aws_codepipeline ✔️ aws_db_instance ✔️ ✔️ aws_db_security_group ✔️ aws_dms_endpoint ✔️ aws_dms_replication_instance ✔️ ✔️ aws_ebs_volume ✔️ aws_efs_file_system ✔️ aws_elasticache_security_group ✔️ aws_efs_file_system ✔️ aws_elasticache_security_group ✔️ aws_elastictranscoder_pipeline ✔️ aws_elb ✔️ ✔️ ✔️ aws_emr_cluster ✔️ aws_instance ✔️ ✔️ aws_kinesis_firehose_delivery_stream ✔️ ✔️ aws_lambda_function ✔️ aws_launch_configuration ✔️ aws_lb_ssl_negotiation_policy ➖ aws_load_balancer_backend_server_policy ➖ aws_load_balancer_listener_policy ➖ aws_load_balancer_policy ➖ aws_opsworks_application ✔️ ➖ aws_opsworks_custom_layer ➖ aws_opsworks_ganglia_layer ➖ aws_opsworks_haproxy_layer ➖ aws_opsworks_instance ➖ aws_opsworks_java_app_layer ➖ aws_opsworks_memcached_layer ➖ aws_opsworks_mysql_layer ➖ aws_opsworks_nodejs_app_layer ➖ aws_opsworks_php_app_layer ➖ aws_opsworks_rails_app_layer ➖ aws_opsworks_static_web_layer ➖ aws_rds_cluster ✔️ aws_rds_cluster_instance ✔️ aws_redshift_cluster ✔️ ✔️ ✔️ aws_redshift_parameter_group ➖ ➖ aws_redshift_security_group ✔️ aws_s3_bucket ✔️ ✔️ aws_s3_bucket_object ✔️ aws_security_group ✔️ aws_security_group_rule ✔️ aws_ses_receipt_rule ➖ aws_sqs_queue ✔️ aws_ssm_maintenance_window_task ✔️ aws_ssm_parameter ✔️
======================================== ====================== ====================== ====================== ======================