Secure Development & DevSecOps

IaC Security Review

  • May 9, 2025
  • 0

Sherlocked Security – IaC Security Review (Terraform, CloudFormation)

Comprehensive Static Security Auditing of Infrastructure-as-Code Templates

1. Statement of Work (SOW)

Service Name: Infrastructure as Code (IaC) Security Review
Client Type: Enterprises, Cloud-Native Startups, DevOps Teams, FinTech, Healthcare
Service Model: IaC Template Analysis + Static Security Review + Compliance Mapping
Compliance Coverage: CIS AWS/GCP/Azure Benchmarks, NIST 800-53, ISO 27001, PCI-DSS, SOC 2

Assessment Types:

  • Terraform and CloudFormation Template Reviews
  • Static Analysis of Infrastructure Definitions
  • Secret & Key Exposure Review
  • Misconfiguration and Over-Permission Detection
  • Cloud Provider Best Practices Validation

2. Our Approach

[IaC Codebase Discovery] → [Automated Linting & Baseline Scan] → [Manual Review for Logic & Context] → [Compliance Mapping] → [Remediation Advisory] → [Retest (Optional)]

3. Methodology

[Codebase Collection] → [Automated Tools Execution] → [Manual Review for Contextual Security Issues] → [Risk Mapping] → [Recommendations & Fix Examples] → [Retest (Optional)]

4. Deliverables to the Client

  1. IaC Security Audit Report (Terraform / CloudFormation)
  2. Misconfiguration Summary with Contextual Risk Ratings
  3. Cloud Provider-Specific Security Checks (AWS/GCP/Azure)
  4. Findings Mapped to Compliance Standards (CIS/NIST/PCI)
  5. Annotated Code Snippets for Each Finding
  6. Recommendations for Hardening and Fix Examples
  7. Revalidation Report Post-Remediation (Optional)
  8. CI/CD Linting Rule Set for Future Prevention (Optional)

5. What We Need from You (Client Requirements)

  • Access to your Terraform or CloudFormation repositories
  • Details on cloud provider(s) and environments in use
  • Documentation of IaC deployment flows (manual or CI/CD-based)
  • Reference security/compliance frameworks (if applicable)
  • NDA and scope sign-off

6. Tools & Technology Stack

  • Static Scanners: Checkov, tfsec, Kics, cfn-lint, terrascan
  • IaC Linters: tflint, CloudFormation Guard
  • Compliance Tools: ScoutSuite, Prowler, Steampipe
  • Code Review Aids: VSCode with security plugins, git blame/trail
  • Cloud SDKs for validation: AWS CLI, GCP SDK, Azure CLI
  • Optional CI/CD Hooks: GitHub Actions, GitLab CI, Jenkins integrations

7. Engagement Lifecycle

1. Kickoff & Scope Review → 2. IaC Codebase Collection → 3. Automated & Manual Review → 4. Reporting → 5. Remediation Advisory → 6. (Optional) Revalidation & CI/CD Integration

8. Why Sherlocked Security?

Feature Sherlocked Advantage
Contextual Misconfiguration Review Beyond static scanning – manual validation of real-world impact
Multi-Cloud Expertise Deep familiarity with AWS, GCP, Azure IaC security nuances
Compliance-Driven Findings Every issue is mapped to frameworks like CIS/NIST/PCI
IaC DevSecOps Enablement Integration-ready rules for GitOps and pipelines
Custom Hardening Recommendations Annotated fix suggestions tailored to your stack

9. Real-World Case Studies

SaaS Platform: Terraform Misconfiguration Risks

Findings: Publicly exposed S3 buckets, insecure IAM roles ("*" in actions)
Impact: Risk of data exfiltration and privilege escalation
Outcome: Hardened templates, integrated checkov into CI with custom policy sets

Enterprise Infra: CloudFormation Review

Findings: Unrestricted ingress in security groups, no encryption on RDS volumes
Outcome: Enforced SG restrictions, added StorageEncrypted: true defaults across templates

10. SOP – Standard Operating Procedure

  1. Repository Access & Kickoff Meeting
  2. Codebase Walkthrough (IaC Architecture, Provider Modules)
  3. Automated Scanner Execution (Checkov, tfsec, etc.)
  4. Manual Code Review for Contextual Findings
  5. Misconfiguration & Secret Leak Identification
  6. Compliance Mapping (CIS/NIST/etc.)
  7. Fix Recommendations with Examples
  8. Optional CI/CD Integration for Ongoing Enforcement
  9. Final Report + Retest (Optional)

11. IaC Security Review Checklist

1. General Template Hygiene

  • Enforce use of variables for sensitive data, avoid hardcoded secrets
  • Use secure defaults (e.g., deny by default for security groups)
  • Validate module sources (avoid unverified registries or Git URLs)
  • Disable or tightly control count and for_each logic for critical resources
  • Ensure provider versions are pinned and updated

2. IAM & Access Control

  • Detect wildcard * permissions in IAM policies (Action, Resource)
  • Ensure least privilege principles applied to roles, policies, users
  • Validate that IAM roles are scoped to specific services and actions
  • Check for use of assume_role without MFA enforcement or IP restriction
  • Detect over-privileged service accounts (e.g., for Lambda, ECS)

3. Storage & Encryption

  • Validate encryption_at_rest for S3, RDS, EBS, CloudSQL, etc.
  • Enforce use of customer-managed keys (CMKs) over default keys
  • Ensure versioning is enabled for critical data stores
  • Disable public access settings for buckets
  • Enforce logging for storage services (e.g., S3 server access logs)

4. Network Configuration

  • Validate security groups for open ingress (0.0.0.0/0 for port 22, 3389, etc.)
  • Detect overly permissive NACLs, route tables, and VPC peerings
  • Validate use of subnets: separate public/private with proper routing
  • Check use of ALBs/ELBs with TLS enforcement and secure ciphers
  • Ensure DNS zone transfer and public record leaks are avoided

5. Logging & Monitoring

  • Enable CloudTrail, Config, VPC Flow Logs across all regions
  • Ensure logs are centralized, encrypted, and immutable
  • Validate that log groups have retention policies set
  • Detect disabled logging in Lambda, ECS, or other compute services
  • Alert on missing audit trails in compliance-sensitive components

6. Secrets & Key Management

  • Detect any usage of plaintext secrets, credentials, or API keys
  • Validate integration with KMS, Vault, or Secrets Manager
  • Ensure key rotation is enabled for encryption keys
  • Check if secrets are embedded in user data or metadata scripts
  • Flag Terraform locals/outputs that leak sensitive info

7. CI/CD & Pipeline Integration Readiness

  • Recommend tfsec/checkov hooks for PR validation
  • Provide .tflint.hcl and config rules for local scanning
  • Validate Terraform plan/apply gates for security-critical resources
  • Recommend Git pre-commit hooks for IaC changes
  • Integrate OPA (Open Policy Agent) for policy-as-code enforcement

8. Compliance Mapping

  • Map every misconfiguration to CIS Benchmark (e.g., AWS v1.5, Azure v1.3)
  • Align findings with NIST CSF categories (PR.AC, PR.DS, DE.CM, etc.)
  • Highlight impact on PCI-DSS, HIPAA, or SOC 2 controls where applicable
  • Provide pass/fail matrix for required controls based on environment type (prod/dev/staging)

9. Reporting & Fix Recommendations

  • Provide annotated code diffs showing insecure vs secure configuration
  • Rank findings by risk (critical, high, medium, low)
  • Include fix examples per IaC type (Terraform HCL, CFN JSON/YAML)
  • Recommend automation via CI/CD linting and security tests
Policy-Driven Gate Enforcement
DevSecOps Maturity Assessment