From terraform-aws-eks
Perform security analysis of Terraform configuration
npx claudepluginhub joshuarweaver/cascade-code-devops-misc-1 --plugin lgbarn-terraform-aws-eks<file_or_directory>analysis/# Security Review Terraform Configuration Perform a security analysis of Terraform configuration. Arguments: $ARGUMENTS ## Security Analysis Scope ### IAM Security - Overly permissive policies - Wildcard actions and resources - Missing resource constraints - Cross-account access risks - Service role configurations - Trust policies ### Network Security - Security group rules - Public subnet exposure - VPC endpoint usage - Network ACLs - Ingress from 0.0.0.0/0 ### Data Protection - Encryption at rest - Encryption in transit - KMS key management - Secrets handling - Backup configurations ...
/security-reviewPerforms a security review of pending branch changes via git diff, identifying high-confidence vulnerabilities like XSS, SQLi, command injection, and auth bypasses.
/security-reviewPerforms CWE Top 25 security review and STRIDE threat modeling on files/directories at maximum effort. Supports git diff scans (--auto/--quick), dependency checks, and markdown/json reports.
/security-reviewAnalyzes security vulnerabilities in the codebase or specified scope and generates a prioritized improvement plan as markdown report in /reports.
/security-reviewPerforms STRIDE-based security review on code paths or instructions with optional framework, generating Mermaid threat diagrams and assessment reports.
/security-reviewRun comprehensive DevSecOps security scan — SAST (Semgrep), secrets (Gitleaks), dependencies (Trivy), container images, DAST (ZAP), and Policy-as-Code (OPA/Kyverno). Produces prioritized CRITICAL/HIGH report with fix plan.
Perform a security analysis of Terraform configuration. Arguments: $ARGUMENTS
"Action": "*" or "Resource": "*"## Security Review: [Path]
### Executive Summary
- **Overall Risk**: [Critical/High/Medium/Low]
- **Critical Issues**: X
- **High Issues**: Y
- **Medium Issues**: Z
- **Passed Checks**: N
### Critical Issues (Must Fix)
#### 1. IAM Policy Too Permissive
**Resource**: `aws_iam_role_policy.admin` (iam.tf:45)
**Issue**: Policy allows all actions on all resources
**Risk**: Full account compromise if credentials leaked
**Evidence**:
```hcl
policy = jsonencode({
Statement = [{
Effect = "Allow"
Action = "*" # CRITICAL: Wildcard action
Resource = "*" # CRITICAL: Wildcard resource
}]
})
Remediation:
policy = jsonencode({
Statement = [{
Effect = "Allow"
Action = ["s3:GetObject", "s3:PutObject"]
Resource = ["arn:aws:s3:::specific-bucket/*"]
}]
})
Resource: aws_security_group.bastion (security.tf:12)
Issue: SSH port 22 accessible from any IP
Risk: Brute force attacks, unauthorized access
Evidence:
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # CRITICAL
}
Remediation: Restrict to known IPs or use SSM Session Manager
Resource: module.eks (eks.tf:15)
Issue: Cluster endpoint accessible from any IP
Risk: Potential unauthorized API access
Remediation: Add public_access_cidrs restriction
Resource: aws_s3_bucket.data (s3.tf:8)
Issue: No versioning enabled
Risk: Accidental data loss cannot be recovered
Resource: module.vpc (vpc.tf:1)
Issue: VPC Flow Logs not enabled
Risk: Limited visibility into network traffic
| Check | Status |
|---|---|
| S3 encryption enabled | PASS |
| RDS not public | PASS |
| EBS encryption | PASS |
| IRSA configured | PASS |
| Control | Status | Finding |
|---|---|---|
| 1.16 IAM policies | FAIL | Wildcard permissions |
| 2.1 CloudTrail | PASS | Enabled |
| 4.1 Security groups | FAIL | SSH open |
| 4.3 Default VPC | PASS | Not used |
Immediate Actions
Short-term
Long-term
## Workflow
1. Read all Terraform configuration files
2. Parse resources and configurations
3. Check against security rules
4. Categorize by severity
5. Provide specific remediation
6. Generate compliance summary
7. Do NOT make any edits