Aqua Security’s scanner can find security holes in your Terraform Infrastructure as Code.
resource "aws_instance" "example" {
ami = "ami-0abcdef1234567890"
instance_type = "t2.micro"
tags = {
Name = "HelloWorld"
}
}
resource "aws_s3_bucket" "example" {
bucket = "my-unique-terraform-bucket-12345"
acl = "private"
versioning {
enabled = true
}
}
This Terraform code defines an AWS EC2 instance and an S3 bucket. Aqua Security’s scanner, when pointed at this code, will analyze it for potential security misconfigurations before you deploy it to AWS. It’s like a spell-check for your infrastructure, but instead of grammar, it’s catching vulnerabilities.
The core problem Aqua solves is the drift between developer intent and secure, compliant infrastructure. Developers write Terraform to define resources, but they might not be security experts. They might forget to set the S3 bucket to private, or they might use an older, vulnerable AMI for the EC2 instance. Aqua acts as an automated gatekeeper, integrating into your CI/CD pipeline to catch these issues early.
Internally, Aqua uses a vast database of security policies and known vulnerabilities. When you run a scan, it parses your Terraform files, understands the resources being declared, and compares their configurations against these policies. It’s not just looking for specific strings; it’s interpreting the meaning of your Terraform code. For instance, it knows that acl = "public-read" on an S3 bucket is a high-risk configuration and will flag it.
The exact levers you control are primarily through the policies you enable and configure. Aqua offers a wide range of built-in policies covering compliance frameworks like CIS Benchmarks, PCI DSS, and HIPAA, as well as general security best practices. You can also write custom policies using Aqua’s policy-as-code language (OPA Rego) to enforce your organization’s specific security requirements. When running the scanner, you can specify which policies to enforce, for example, aqua scan --terraform --policy-bundle cis-aws-1.2.0 --policy-bundle pci-dss-v3.2.1 main.tf.
When Aqua scans Terraform, it doesn’t just look at the .tf files in isolation. It also understands how Terraform modules and providers interact, and it can even incorporate data from a terraform plan output to understand the actual state of resources that will be created or modified. This provides a much more accurate picture of potential risks than static analysis alone.
The most surprising thing about IaC scanning is how much critical information can be gleaned from the absence of a configuration. For example, if a Terraform resource doesn’t explicitly define a network_acl for an EC2 instance, Aqua can infer that it’s relying on the default network ACLs, which might be too permissive. It understands the default behaviors of cloud providers and flags when those defaults are not explicitly hardened by your code.
The next step after scanning your Terraform code is to integrate these scans into your Git commit or pull request workflow.