Skill
infra-security-review
Security patterns and checklists for reviewing Infrastructure-as-Code. Covers Terraform/OpenTofu state, secrets, network, compute, database, and storage security.
From majestic-devopsInstall
1
Run in your terminal$
npx claudepluginhub majesticlabs-dev/majestic-marketplace --plugin majestic-devopsTool Access
This skill uses the workspace's default tool permissions.
Skill Content
Infrastructure Security Review Patterns
Security checklists and grep patterns for reviewing IaC code. Use these patterns when verifying infrastructure security.
Security Checklists
State Backend Security
| Check | Severity | Pattern |
|---|---|---|
| S3 bucket without encryption | Critical | encrypt = false or missing |
| Missing state locking | High | No DynamoDB table configured |
| Public bucket policy | Critical | block_public_* not all true |
| Missing versioning | Medium | versioning not enabled |
Secret Exposure
| Check | Severity | Pattern |
|---|---|---|
| Hardcoded AWS keys | Critical | AKIA[0-9A-Z]{16} |
| Hardcoded passwords | Critical | password\s*=\s*"[^"]+[^}]" |
| Database credentials in code | Critical | DATABASE_URL with password |
| API keys in variables | High | api_key, secret_key defaults |
Network Security
| Check | Severity | Pattern |
|---|---|---|
| SSH open to world | Critical | 0.0.0.0/0 on port 22 |
| Database publicly accessible | Critical | Missing private_network_uuid |
| Wide CIDR ranges | Medium | /8, /16 on public resources |
| Missing firewall | High | Droplet without firewall resource |
Compute Security
| Check | Severity | Pattern |
|---|---|---|
| Root login enabled | High | PermitRootLogin yes in cloud-init |
| Password auth enabled | Medium | PasswordAuthentication yes |
| Missing SSH hardening | Low | No ClientAliveInterval config |
| No monitoring | Low | monitoring = false |
Database Security
| Check | Severity | Pattern |
|---|---|---|
| Public database access | Critical | No database firewall rules |
| No VPC attachment | High | Missing private_network_uuid |
| Weak version | Medium | Old database engine versions |
| Single node for production | Low | node_count = 1 in prod |
Storage Security
| Check | Severity | Pattern |
|---|---|---|
| Public S3 buckets | Critical | acl = "public-read" |
| Missing encryption | High | No SSE configuration |
| No access logging | Medium | Missing access log bucket |
Grep Patterns
# Hardcoded secrets
grep -rE 'AKIA[0-9A-Z]{16}' *.tf
grep -rE 'password\s*=\s*"[^$\{][^"]*"' *.tf
grep -rE 'secret.*=\s*"[^$\{][^"]*"' *.tf
grep -rE 'api_key\s*=\s*"' *.tf
# Network exposure
grep -rE '0\.0\.0\.0/0.*22' *.tf
grep -rE 'cidr_blocks.*0\.0\.0\.0/0' *.tf
grep -rE 'publicly_accessible\s*=\s*true' *.tf
# State security
grep -rE 'encrypt\s*=\s*false' *.tf
grep -rE 'block_public_acls\s*=\s*false' *.tf
# Cloud-init issues
grep -rE 'PermitRootLogin\s+yes' *.tf *.yaml
grep -rE 'PasswordAuthentication\s+yes' *.tf *.yaml
Report Template
# Infrastructure Security Review
**Repository:** [name]
**Date:** [date]
**Files Reviewed:** [count]
## Summary
| Severity | Count |
|----------|-------|
| Critical | X |
| High | X |
| Medium | X |
| Low | X |
## Findings
### [SEVERITY-001] Title
**File:** `path/to/file.tf:line`
**Resource:** `resource_type.name`
**Issue:**
Description of the security issue.
**Current:**
```hcl
[current code]
Remediation:
[fixed code]
Compliance Notes
- State encryption enabled (SOC 2)
- No hardcoded credentials (PCI-DSS)
- Network segmentation in place (HIPAA)
- Access logging enabled (all frameworks)
## Severity Guide
| Severity | Definition | Action |
|----------|------------|--------|
| Critical | Direct security exposure, data breach risk | Block deployment |
| High | Significant risk, exploitable weakness | Fix before production |
| Medium | Best practice violation, indirect risk | Fix within 30 days |
| Low | Minor hardening opportunity | Address when convenient |
Similar Skills
Stats
Parent Repo Stars30
Parent Repo Forks6
Last CommitJan 12, 2026