Terraform Security Analyzer

Analyze Terraform HCL code for security misconfigurations, open ports, and unencrypted resources

Enter your Terraform HCL code to analyze for security misconfigurations

What is the Terraform Security Analyzer?

The Terraform Security Analyzer is a client-side tool that scans your Terraform HCL code for common security misconfigurations. It detects open security groups, public S3 buckets, disabled encryption, unencrypted RDS instances, IAM wildcards, and overly permissive network rules — then calculates a risk score with actionable remediation recommendations.

How to Use

  1. Paste your Terraform HCL configuration into the input field
  2. Click "Analyze" or wait for automatic processing
  3. Review findings with severity ratings (Critical, High, Medium, Low)
  4. Follow the recommendations to harden your infrastructure code
  5. Export a full report in JSON or Markdown format

Example: Insecure Terraform Configuration

This Terraform code has multiple security issues that the analyzer will detect:

resource "aws_security_group" "open_sg" {
  name = "open-to-world"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 65535
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_s3_bucket" "public_data" {
  bucket = "company-public-bucket"
  acl    = "public-read"
}

resource "aws_db_instance" "main" {
  engine         = "mysql"
  instance_class = "db.t3.medium"
}

resource "aws_iam_policy" "admin" {
  policy = jsonencode({
    Statement = [{
      Effect   = "Allow"
      Action   = ["*"]
      Resource = ["*"]
    }]
  })
}

What Security Issues Are Detected?

  • Open security groups — Ingress rules allowing 0.0.0.0/0 on sensitive ports (SSH, RDP, databases) expose services to the internet
  • Public S3 buckets — ACL set to public-read or public-read-write allows anyone to access bucket contents
  • Disabled encryption — S3 buckets without server_side_encryption_configuration store data unencrypted at rest
  • Unencrypted RDS — Database instances without storage_encrypted = true leave data vulnerable
  • IAM wildcards — Actions or resources set to "*" grant unrestricted permissions violating least privilege
  • Permissive egress — Unrestricted outbound rules on all ports and protocols to any destination
  • Unencrypted EBS — EC2 instances and EBS volumes without encryption expose data at rest
  • All-port ingress — Security groups allowing all ports from 0.0.0.0/0 provide no network isolation

Security Scoring

Each Terraform configuration receives a score from 0 to 100 based on detected findings. Severity weights are: Critical (25 points), High (15 points), Medium (8 points), Low (3 points). The score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).

Terraform Security Best Practices

  • Restrict security group ingress to specific IP ranges — never use 0.0.0.0/0 on SSH or database ports
  • Use private ACLs for S3 and enable S3 Block Public Access at the account level
  • Enable encryption at rest for all S3 buckets, RDS instances, and EBS volumes
  • Follow IAM least privilege — specify only required actions on specific resource ARNs
  • Limit egress rules to known destinations and required ports
  • Enable default EBS encryption at the account level for new volumes
  • Use AWS KMS customer-managed keys for sensitive workloads
  • Complement this tool with CI/CD scanners like tfsec or Checkov for pipeline gates

Privacy and Security

All analysis happens entirely in your browser using JavaScript. Your Terraform code — which may contain infrastructure details, resource names, IP ranges, and configuration secrets — is never transmitted to any server. No data is stored, logged, or shared.

Frequently Asked Questions

What security issues does the Terraform Security Analyzer detect?

The analyzer detects open security groups (ingress from 0.0.0.0/0 on sensitive ports like SSH, RDP, and databases), public S3 buckets (public-read or public-read-write ACL), disabled encryption (S3 without server_side_encryption_configuration, RDS without storage_encrypted), unencrypted EBS volumes, IAM wildcards (actions or resources set to "*"), and overly permissive egress rules. Each finding includes severity classification and remediation recommendations.

How is the security score calculated?

The score starts at 100 and deducts points based on finding severity: Critical issues (like open security groups or public S3 buckets) deduct 25 points, High issues (like missing encryption or IAM wildcards) deduct 15, Medium issues (like permissive egress) deduct 8, and Low issues deduct 3. The final score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).

Is my Terraform code sent to any server?

No. All analysis happens entirely in your browser using JavaScript. Your Terraform code — which may contain infrastructure details, resource names, and configuration secrets — never leaves your device. No data is stored, logged, or transmitted.

What Terraform providers are supported?

The analyzer primarily targets AWS provider resources including aws_security_group, aws_s3_bucket, aws_db_instance, aws_rds_cluster, aws_ebs_volume, aws_instance, and IAM policy resources. The HCL parser supports any valid Terraform syntax, but security rules are focused on AWS infrastructure patterns.

Why is 0.0.0.0/0 on SSH (port 22) flagged as critical?

Opening SSH to the entire internet (0.0.0.0/0) exposes the instance to brute-force attacks, credential stuffing, and exploitation of SSH vulnerabilities. Best practice is to restrict SSH access to known IP ranges (office, VPN) and use bastion hosts or AWS Systems Manager Session Manager for remote access.

What is the maximum input size supported?

The analyzer accepts Terraform files up to 2MB. Files between 200KB and 2MB will show a warning that processing may be slow. For files larger than 50KB, processing is automatically offloaded to a background thread to keep the UI responsive.

Can I analyze multi-file Terraform configurations?

The analyzer processes one input at a time. For multi-file configurations, paste the contents of each .tf file separately or concatenate them. The HCL parser handles multiple resource blocks in a single input without issues.

What is the difference between this tool and a full Terraform security scanner like tfsec?

This tool provides instant browser-based analysis for common security misconfigurations without installing any software. Tools like tfsec or Checkov are CLI-based scanners with broader rule sets and CI/CD integration. Use this tool for quick security checks during development and dedicated scanners for comprehensive CI/CD pipeline security gates.

Related Tools

IAM Policy Analyzer

Analyze AWS IAM policies for security issues, overly permissive actions, and privilege escalation risks

Aws Iam

Dockerfile Analyzer

Analyze Dockerfiles for security issues, best-practice violations, and image optimization opportunities

Docker

Docker Compose Inspector

Analyze docker-compose.yml files for security issues, exposed ports, privileged containers, and misconfigurations

Docker