Identifying Misconfigurations in Terraform Code w/ tfsec

Get a live demo of some examples using tfsec to catch Terraform misconfigurations by the maintainers of the project.

You've heard the stories: S3 buckets, Elasticsearch services, Google buckets, and other cloud resources provisioned while being completely open to the internet. tfsec is a popular, open source, static analysis tool for Terraform code that can alert you before these kinds of mistakes are made.

What You'll Learn

Owen Rumney from Aqua Security will spend most of this talk demoing tfsec to identify potential issues early in your Terraform workflow and in your CI/CD pipelines. You'll learn:

  • What constitutes a misconfiguration or sub-optimal configuration?

  • How can the risks be mitigated

    • Using tfsec static analysis for Terraform

    • Using tfsec in a GitHub pipeline

    • Shifting left and discovering issues before they leave the developers' machines

To see some of the code used in this demo, check out Owen's GitHub repository.

More resources like this one