Collection of security and best practice test for static code analysis of terraform templates
Branch: master
Clone or download
Latest commit 8870437 Nov 13, 2018

README.rst

Terrascan

Documentation Status Updates

A collection of security and best practice tests for static code analysis of terraform templates using terraform_validate.

Features

Terrascan will perform tests on your terraform templates to ensure:

  • Encryption
    • Server Side Encryption (SSE) enabled
    • Use of AWS Key Management Service (KMS) with Customer Managed Keys (CMK)
    • Use of SSL/TLS and proper configuration
  • Security Groups
    • Provisioning SGs in EC2-classic
    • Ingress open to 0.0.0.0/0
  • Public Exposure
    • Services with public exposure other than Gateways (NAT, VGW, IGW)
  • Logging & Monitoring
    • Access logs enabled to resources that support it

Installing

Terrascan uses Python and depends on terraform-validate and pyhcl. After installing python in your system you can follow these steps:

$ pip install terrascan

Running the tests

To run execute terrascan.py as follows replacing with the location of your terraform templates:

$ terrascan --location tests/infrastructure/success --tests all

To run a specific test run the following command replacing encryption with the name of the test to run:

$ terrascan --location tests/infrastructure/success --tests encryption

To learn more about the options to the cli execute the following:

$ terrascan -h

Feature Status

Legend:
  • = test needs to be implemented
  • ✔️ = test implemented
  • blank - N/A
Terraform resources Encryption Security Groups Public exposure Logging & Monitoring
aws_alb     ✔️ ✔️
aws_alb_listener ✔️      
aws_ami ✔️      
aws_ami_copy ✔️      
aws_api_gateway_domain_name ✔️      
aws_cloudfront_distribution ✔️     ✔️
aws_cloudtrail ✔️     ✔️
aws_codebuild_project ✔️      
aws_codepipeline ✔️      
aws_db_instance ✔️   ✔️  
aws_db_security_group   ✔️    
aws_dms_endpoint ✔️      
aws_dms_replication_instance ✔️   ✔️  
aws_ebs_volume ✔️      
aws_efs_file_system ✔️      
aws_elasticache_security_group   ✔️    
aws_efs_file_system ✔️      
aws_elasticache_security_group   ✔️    
aws_elastictranscoder_pipeline ✔️      
aws_elb ✔️   ✔️ ✔️
aws_emr_cluster       ✔️
aws_instance ✔️   ✔️  
aws_kinesis_firehose_delivery_stream ✔️     ✔️
aws_lambda_function ✔️      
aws_launch_configuration       ✔️
aws_lb_ssl_negotiation_policy      
aws_load_balancer_backend_server_policy      
aws_load_balancer_listener_policy      
aws_load_balancer_policy      
aws_opsworks_application ✔️    
aws_opsworks_custom_layer      
aws_opsworks_ganglia_layer      
aws_opsworks_haproxy_layer      
aws_opsworks_instance      
aws_opsworks_java_app_layer      
aws_opsworks_memcached_layer      
aws_opsworks_mysql_layer      
aws_opsworks_nodejs_app_layer      
aws_opsworks_php_app_layer      
aws_opsworks_rails_app_layer      
aws_opsworks_static_web_layer      
aws_rds_cluster ✔️      
aws_rds_cluster_instance     ✔️  
aws_redshift_cluster ✔️   ✔️ ✔️
aws_redshift_parameter_group    
aws_redshift_security_group   ✔️    
aws_s3_bucket     ✔️ ✔️
aws_s3_bucket_object ✔️      
aws_security_group   ✔️    
aws_security_group_rule   ✔️    
aws_ses_receipt_rule      
aws_sqs_queue ✔️      
aws_ssm_maintenance_window_task       ✔️
aws_ssm_parameter ✔️