/security-review

Security Review Terraform Configuration

Perform a security analysis of Terraform configuration. Arguments: $ARGUMENTS

Security Analysis Scope

IAM Security

• Overly permissive policies
• Wildcard actions and resources
• Missing resource constraints
• Cross-account access risks
• Service role configurations
• Trust policies

Network Security

• Security group rules
• Public subnet exposure
• VPC endpoint usage
• Network ACLs
• Ingress from 0.0.0.0/0

Data Protection

• Encryption at rest
• Encryption in transit
• KMS key management
• Secrets handling
• Backup configurations

EKS Security

• Cluster endpoint access
• Pod security standards
• IRSA configuration
• Network policies
• Secrets encryption

Compliance

• CIS AWS Foundations Benchmark
• AWS Well-Architected Security Pillar

Security Checks

Critical (Must Fix)

• IAM policies with "Action": "*" or "Resource": "*"
• Security groups with SSH (22) or RDP (3389) open to 0.0.0.0/0
• S3 buckets without encryption
• S3 buckets with public access
• Secrets in plain text
• Public RDS instances
• EKS public endpoint without CIDR restrictions

High (Should Fix)

• Overly permissive IAM policies
• Missing VPC Flow Logs
• Unencrypted EBS volumes
• Missing CloudTrail
• EKS without secrets encryption
• Missing IRSA for pods

Medium (Consider Fixing)

• Missing resource tagging
• No lifecycle policies
• Missing backup configurations
• Broad security group rules

Output Format

## Security Review: [Path]

### Executive Summary
- **Overall Risk**: [Critical/High/Medium/Low]
- **Critical Issues**: X
- **High Issues**: Y
- **Medium Issues**: Z
- **Passed Checks**: N

### Critical Issues (Must Fix)

#### 1. IAM Policy Too Permissive
**Resource**: `aws_iam_role_policy.admin` (iam.tf:45)
**Issue**: Policy allows all actions on all resources
**Risk**: Full account compromise if credentials leaked
**Evidence**:
```hcl
policy = jsonencode({
  Statement = [{
    Effect   = "Allow"
    Action   = "*"        # CRITICAL: Wildcard action
    Resource = "*"        # CRITICAL: Wildcard resource
  }]
})

Remediation:

policy = jsonencode({
  Statement = [{
    Effect   = "Allow"
    Action   = ["s3:GetObject", "s3:PutObject"]
    Resource = ["arn:aws:s3:::specific-bucket/*"]
  }]
})

2. SSH Open to Internet

Resource: aws_security_group.bastion (security.tf:12) Issue: SSH port 22 accessible from any IP Risk: Brute force attacks, unauthorized access Evidence:

ingress {
  from_port   = 22
  to_port     = 22
  protocol    = "tcp"
  cidr_blocks = ["0.0.0.0/0"]  # CRITICAL
}

Remediation: Restrict to known IPs or use SSM Session Manager

High Issues (Should Fix)

1. EKS Public Endpoint Unrestricted

Resource: module.eks (eks.tf:15) Issue: Cluster endpoint accessible from any IP Risk: Potential unauthorized API access Remediation: Add public_access_cidrs restriction

2. S3 Bucket Without Versioning

Resource: aws_s3_bucket.data (s3.tf:8) Issue: No versioning enabled Risk: Accidental data loss cannot be recovered

Medium Issues (Consider Fixing)

1. Missing VPC Flow Logs

Resource: module.vpc (vpc.tf:1) Issue: VPC Flow Logs not enabled Risk: Limited visibility into network traffic

Passed Checks

Check	Status
S3 encryption enabled	PASS
RDS not public	PASS
EBS encryption	PASS
IRSA configured	PASS

Compliance Summary

CIS AWS Foundations Benchmark

Control	Status	Finding
1.16 IAM policies	FAIL	Wildcard permissions
2.1 CloudTrail	PASS	Enabled
4.1 Security groups	FAIL	SSH open
4.3 Default VPC	PASS	Not used

Recommendations

1. Immediate Actions

   • Remove wildcard IAM permissions
   • Restrict SSH to known IPs

2. Short-term

   • Enable VPC Flow Logs
   • Add EKS public endpoint CIDR restrictions

3. Long-term

   • Implement SCPs for guardrails
   • Enable AWS Config rules

## Workflow

1. Read all Terraform configuration files
2. Parse resources and configurations
3. Check against security rules
4. Categorize by severity
5. Provide specific remediation
6. Generate compliance summary
7. Do NOT make any edits