Guides
Start typing to search…

Security & compliance review

Terracotta AI helps platform and DevOps teams catch critical infrastructure security issues early by automatically auditing Terraform and CDKTF pull requests for security misconfigurations, compliance gaps, and IaC anti-patterns.

Our review engine is trained on cloud provider security best practices (e.g., AWS, GCP, Azure), Terraform idioms, and modern compliance frameworks like SOC 2, ISO 27001, and CIS benchmarks.

💬

To trigger a full security audit in a PR, comment:
@try-terracotta perform an in depth security and compliance audit on this diff

🧠 What the AI Looks For

Terracotta’s AI security engine performs deep static analysis to detect:

  • 🔐 Open network access (e.g. 0.0.0.0/0 on sensitive ports)
  • 🔐 IAM policy misconfigurations ("*" in Action or Resource)
  • 🔐 Unencrypted data stores (S3, DynamoDB, EBS)
  • 🔐 Lack of key rotation for KMS keys
  • 📛 Noncompliant naming/tagging standards
  • ⚠️ Secrets in code (access keys, passwords)
  • ⚙️ Missing security-related Terraform blocks (e.g. server_side_encryption, public_access_block)

It provides:

  • Grouped findings by severity
  • Fix recommendations with hcl diffs
  • Policy explanations and compliance risks
  • A TL;DR summary with next steps

🚨 Sample Issues Detected

🔴 HIGH Severity

  • Overly Permissive Security Group:

    Ingress rule allows SSH from 0.0.0.0/0.

  • Noncompliant Resource Naming:

    Missing required prefix: org-, team-, or env-

🟠 MEDIUM Severity

  • No public access block on S3 state bucket
  • No encryption block on DynamoDB tables
  • No KMS key rotation enabled for root volumes

🟢 LOW Severity

  • Hardcoded AMI ID instead of usingdata "aws_ami"
  • Missingprevent_destroy on critical resources
  • Inconsistent resource tagging

✅ Recommended Fixes

Example fix for open SSH access:

resource "aws_security_group" "ec2_sg" {
  ingress {
    description = "SSH"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["<YOUR_TRUSTED_IP>/32"]
  }
}

Example fix for DynamoDB encryption:

resource "aws_dynamodb_table" "example" {
  # ...
  server_side_encryption {
    enabled = true
  }
}

📋 TL;DR Summary

Terracotta’s security assistant:

  • Flags high-risk misconfigurations early in the PR
  • Uses cloud security and compliance best practices
  • Helps enforce org-specific policies
  • Outputs a clear summary of severity, affected files, and fix strategy

Recommended: Block PRs on 🔴 HIGH issues, and review 🟠 MEDIUM with a security lead.

🧰 Tools We Align With

Terracotta aligns its findings with recommendations from tools like:

  • tflint, checkov, tfsec
  • AWS Well-Architected Framework
  • SOC 2 / ISO 27001 security baselines
  • Internal org-specific policies (tagging, naming, secrets hygiene)

Use Terracotta alongside these tools to catch gaps earlier in your Terraform lifecycle.

Updated 5 days ago