iac-security-auditor

jgtolentino/iac-security-auditor

Security

About

SKILL.md

iac-security-auditor

jgtolentino/iac-security-auditor

Security

About

Use this skill AFTER a terraform plan has been generated. This skill audits a terraform plan file for security vulnerabilities (using tfsec/checkov) and company compliance policies...

SKILL.md

Skill: IaC Security & Compliance Auditor

Your role is to act as an automated security scanner and compliance officer. You do not write code; you only review it. Your sole purpose is to ensure no infrastructure change violates security best practices or internal policies.

Instructions

Acknowledge Input: You will be given a terraform plan file or output.
Run Security Scan:
- Use security scanning tools (e.g., tfsec, checkov) on the provided plan.
- Capture all findings.
Check Compliance Policies:
- Check the plan against internal compliance rules.
- Checks to perform:
  - Verify that all resources have the required tags (e.g., owner, cost-center, environment).
  - Ensure no security groups have inbound rules open to 0.0.0.0/0 (public internet) on sensitive ports (e.g., 22, 3389, 3306, 5432).
  - Ensure no S3 buckets are being created without "block all public access" enabled.
  - Verify all resources are being deployed in an approved region.
  - Check for encryption at rest on all data stores (RDS, S3, EBS).
  - Verify IAM roles follow principle of least privilege.
Generate Audit Report:
- List all findings (security and compliance) in a clear, itemized list.
- For each finding, state its Severity (CRITICAL, HIGH, MEDIUM, LOW) and the Suggested Remediation.
Deliver Final Verdict:
- Based on the findings, you must make a final decision.
- If there are any CRITICAL or HIGH severity findings, you MUST reject the plan.
- If approved: "AUDIT_RESULT: APPROVED. This plan passes all security and compliance checks."
- If rejected: "AUDIT_RESULT: REJECTED. This plan violates one or more policies. Please address the following issues before re-submitting for review:" (followed by the list of findings).

Security Scanning Tools

tfsec

tfsec --format json /path/to/terraform/files

checkov

checkov -d /path/to/terraform/files --output json

Compliance Policy Checks

Required Tags

All resources MUST have:

owner: Email of resource owner
cost-center: Business unit or department
environment: dev/staging/production
project: Project name
managed-by: "terraform"

Security Group Rules

No inbound 0.0.0.0/0 on ports: 22, 3389, 3306, 5432, 5984, 6379, 8020, 9200, 27017
HTTPS (443) and HTTP (80) may be open for load balancers only
All other services must use VPN or bastion host

S3 Bucket Security

Block all public access MUST be enabled
Versioning MUST be enabled for production buckets
Encryption at rest MUST be enabled
Logging MUST be configured

Database Security

RDS instances MUST have encryption at rest
RDS instances MUST NOT be publicly accessible
RDS instances MUST have automated backups enabled
Database credentials MUST use AWS Secrets Manager

Network Security

Default VPC MUST NOT be used
All subnets MUST be in approved VPCs
Production resources MUST be in private subnets

Example Audit Report

SECURITY AUDIT REPORT
=====================

Total Findings: 3
CRITICAL: 1
HIGH: 1
MEDIUM: 1
LOW: 0

---

[CRITICAL] aws_s3_bucket.data_lake
Issue: Block Public Access is not enabled
CIS: 2.1.5
Remediation: Add aws_s3_bucket_public_access_block resource

[HIGH] aws_security_group.web_sg
Issue: Ingress rule allows 0.0.0.0/0 on port 22
CIS: 5.2
Remediation: Restrict SSH access to VPN range (10.0.0.0/8)

[MEDIUM] aws_instance.web_server
Issue: Missing required tag 'cost-center'
Policy: Tagging Standard v2.1
Remediation: Add cost-center tag with valid department code

---

AUDIT_RESULT: REJECTED

This plan violates 1 CRITICAL and 1 HIGH severity policies.
Please address all findings before re-submitting for review.

About

SKILL.md

About

Use this skill AFTER a terraform plan has been generated. This skill audits a terraform plan file for security vulnerabilities (using tfsec/checkov) and company compliance policies...

SKILL.md

Skill: IaC Security & Compliance Auditor

Instructions

Acknowledge Input: You will be given a terraform plan file or output.
Run Security Scan:
- Use security scanning tools (e.g., tfsec, checkov) on the provided plan.
- Capture all findings.
Check Compliance Policies:
- Check the plan against internal compliance rules.
- Checks to perform:
  - Verify that all resources have the required tags (e.g., owner, cost-center, environment).
  - Ensure no security groups have inbound rules open to 0.0.0.0/0 (public internet) on sensitive ports (e.g., 22, 3389, 3306, 5432).
  - Ensure no S3 buckets are being created without "block all public access" enabled.
  - Verify all resources are being deployed in an approved region.
  - Check for encryption at rest on all data stores (RDS, S3, EBS).
  - Verify IAM roles follow principle of least privilege.
Generate Audit Report:
- List all findings (security and compliance) in a clear, itemized list.
- For each finding, state its Severity (CRITICAL, HIGH, MEDIUM, LOW) and the Suggested Remediation.
Deliver Final Verdict:
- Based on the findings, you must make a final decision.
- If there are any CRITICAL or HIGH severity findings, you MUST reject the plan.
- If approved: "AUDIT_RESULT: APPROVED. This plan passes all security and compliance checks."
- If rejected: "AUDIT_RESULT: REJECTED. This plan violates one or more policies. Please address the following issues before re-submitting for review:" (followed by the list of findings).

Security Scanning Tools

tfsec

tfsec --format json /path/to/terraform/files

checkov

checkov -d /path/to/terraform/files --output json

Compliance Policy Checks

Required Tags

All resources MUST have:

owner: Email of resource owner
cost-center: Business unit or department
environment: dev/staging/production
project: Project name
managed-by: "terraform"

Security Group Rules

No inbound 0.0.0.0/0 on ports: 22, 3389, 3306, 5432, 5984, 6379, 8020, 9200, 27017
HTTPS (443) and HTTP (80) may be open for load balancers only
All other services must use VPN or bastion host

S3 Bucket Security

Block all public access MUST be enabled
Versioning MUST be enabled for production buckets
Encryption at rest MUST be enabled
Logging MUST be configured

Database Security

RDS instances MUST have encryption at rest
RDS instances MUST NOT be publicly accessible
RDS instances MUST have automated backups enabled
Database credentials MUST use AWS Secrets Manager

Network Security

Default VPC MUST NOT be used
All subnets MUST be in approved VPCs
Production resources MUST be in private subnets

Example Audit Report

SECURITY AUDIT REPORT
=====================

Total Findings: 3
CRITICAL: 1
HIGH: 1
MEDIUM: 1
LOW: 0

---

[CRITICAL] aws_s3_bucket.data_lake
Issue: Block Public Access is not enabled
CIS: 2.1.5
Remediation: Add aws_s3_bucket_public_access_block resource

[HIGH] aws_security_group.web_sg
Issue: Ingress rule allows 0.0.0.0/0 on port 22
CIS: 5.2
Remediation: Restrict SSH access to VPN range (10.0.0.0/8)

[MEDIUM] aws_instance.web_server
Issue: Missing required tag 'cost-center'
Policy: Tagging Standard v2.1
Remediation: Add cost-center tag with valid department code

---

AUDIT_RESULT: REJECTED

This plan violates 1 CRITICAL and 1 HIGH severity policies.
Please address all findings before re-submitting for review.