Paste your Terraform .tf file. Checks for the misconfigurations that show up in every cloud security audit: hardcoded credentials, open security groups, public S3 buckets, unencrypted RDS/EBS, and missing deletion protection.
Paste your Terraform .tf file. Checks for the most common infrastructure security misconfigurations: open security groups, unencrypted storage, public S3 buckets, deletion protection disabled, hardcoded credentials, and more.
What gets flagged most often
- Hardcoded AWS credentials (Critical):
access_keyandsecret_keyin the provider block end up in git history, Terraform state files, and CI logs. Use environment variables or IAM roles — never hardcode credentials. - SSH/database ports open to 0.0.0.0/0 (Critical): Port 22 open to the internet gets probed constantly. Database ports (5432, 3306, etc.) should only accept connections from your application tier security group, never from the internet directly.
- S3 bucket without public access block (High): An account-level permission change or future misconfiguration can suddenly expose an unprotected bucket. Always attach
aws_s3_bucket_public_access_block. - RDS skip_final_snapshot = true (Medium): Running
terraform destroydestroys your database with no backup. Set to false and provide afinal_snapshot_identifier.
For full static analysis with 200+ rules, use tfsec or Checkov. This tool catches the most common and critical issues quickly in the browser. For infrastructure-adjacent security: K8s YAML · Docker Compose · GitHub Actions.
🔒 More Security Tools
Browse all 16 free tools in the Security Tools collection — K8s YAML linter, GitHub Actions security, Terraform scanner, JWT inspector, CVE dashboard, and more.
📚 See also: Terraform Reference — free developer quick-reference.