Infrastructure Security Review Patterns

Security checklists and grep patterns for reviewing IaC code. Use these patterns when verifying infrastructure security.

Security Checklists

State Backend Security

Check	Severity	Pattern
S3 bucket without encryption	Critical	encrypt = false or missing
Missing state locking	High	No DynamoDB table configured
Public bucket policy	Critical	block_public_* not all true
Missing versioning	Medium	versioning not enabled

Secret Exposure

Check	Severity	Pattern
Hardcoded AWS keys	Critical	AKIA[0-9A-Z]{16}
Hardcoded passwords	Critical	password\s*=\s*"[^"]+[^}]"
Database credentials in code	Critical	DATABASE_URL with password
API keys in variables	High	api_key, secret_key defaults

Network Security

Check	Severity	Pattern
SSH open to world	Critical	0.0.0.0/0 on port 22
Database publicly accessible	Critical	Missing private_network_uuid
Wide CIDR ranges	Medium	/8, /16 on public resources
Missing firewall	High	Droplet without firewall resource

Compute Security

Check	Severity	Pattern
Root login enabled	High	PermitRootLogin yes in cloud-init
Password auth enabled	Medium	PasswordAuthentication yes
Missing SSH hardening	Low	No ClientAliveInterval config
No monitoring	Low	monitoring = false

Database Security

Check	Severity	Pattern
Public database access	Critical	No database firewall rules
No VPC attachment	High	Missing private_network_uuid
Weak version	Medium	Old database engine versions
Single node for production	Low	node_count = 1 in prod

Storage Security

Check	Severity	Pattern
Public S3 buckets	Critical	acl = "public-read"
Missing encryption	High	No SSE configuration
No access logging	Medium	Missing access log bucket

Grep Patterns

# Hardcoded secrets
grep -rE 'AKIA[0-9A-Z]{16}' *.tf
grep -rE 'password\s*=\s*"[^$\{][^"]*"' *.tf
grep -rE 'secret.*=\s*"[^$\{][^"]*"' *.tf
grep -rE 'api_key\s*=\s*"' *.tf

# Network exposure
grep -rE '0\.0\.0\.0/0.*22' *.tf
grep -rE 'cidr_blocks.*0\.0\.0\.0/0' *.tf
grep -rE 'publicly_accessible\s*=\s*true' *.tf

# State security
grep -rE 'encrypt\s*=\s*false' *.tf
grep -rE 'block_public_acls\s*=\s*false' *.tf

# Cloud-init issues
grep -rE 'PermitRootLogin\s+yes' *.tf *.yaml
grep -rE 'PasswordAuthentication\s+yes' *.tf *.yaml

Report Template

# Infrastructure Security Review

**Repository:** [name]
**Date:** [date]
**Files Reviewed:** [count]

## Summary

| Severity | Count |
|----------|-------|
| Critical | X |
| High | X |
| Medium | X |
| Low | X |

## Findings

### [SEVERITY-001] Title

**File:** `path/to/file.tf:line`
**Resource:** `resource_type.name`

**Issue:**
Description of the security issue.

**Current:**
```hcl
[current code]

Remediation:

[fixed code]

Compliance Notes

• State encryption enabled (SOC 2)
• No hardcoded credentials (PCI-DSS)
• Network segmentation in place (HIPAA)
• Access logging enabled (all frameworks)

## Severity Guide

| Severity | Definition | Action |
|----------|------------|--------|
| Critical | Direct security exposure, data breach risk | Block deployment |
| High | Significant risk, exploitable weakness | Fix before production |
| Medium | Best practice violation, indirect risk | Fix within 30 days |
| Low | Minor hardening opportunity | Address when convenient |