We’ve all heard the horror stories: a developer pushes a quick Terraform module on Friday afternoon, and wakes up Monday to a $14,000 AWS bill because bots turned their staging environment into a Monero mining cluster.
The terrifying part about AWS security isn't sophisticated zero-day exploits—it’s default misconfigurations.
Before you run terraform apply today, audit your code against these 4 bite-sized security fixes:
1. Kill Wildcard (*) IAM Permissions
When you hit a 403 Access Denied error, it’s tempting to test with "Action": "", "Resource": "". If committed, a single app vulnerability lets attackers wipe your AWS account.
The Fix: Always hardcode least-privilege API actions and scope down to exact resource ARNs:
hcl
Action = ["dynamodb:GetItem", "dynamodb:Query"]
Resource = "arn:aws:dynamodb:us-east-1:123456789012:table/prod-users"
2. Lock Down S3 Buckets Explicitly
Automated scanners enumerate millions of bucket names per hour. If you don't explicitly block public access, your uploads will be discovered and dumped.
The Fix: Always attach an explicit public access block to every bucket:
hcl
resource "aws_s3_bucket_public_access_block" "lockdown" {
bucket = aws_s3_bucket.app_bucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
3. Never Open DB Ports to 0.0.0.0/0
Opening port 5432 (PostgreSQL) or 3306 (MySQL) to 0.0.0.0/0 so you can connect your local DB GUI invites automated brute-force bots within 10 minutes.
The Fix: Keep databases in private subnets. Only allow ingress from your app server's Security Group ID:
hcl
source_security_group_id = aws_security_group.app_server_sg.id
(Need local GUI access? Use AWS SSM Port Forwarding to tunnel in without open inbound ports).
4. Ditch Static CI/CD Access Keys
Stop generating AWS IAM Users with static .env Secret Access Keys for GitHub Actions deployments.
The Fix: Switch to OpenID Connect (OIDC) federation. Let GitHub Actions assume a temporary AWS IAM Role dynamically per run, generating short-lived tokens that expire immediately after deployment.
🛡️ The 5-Second Pre-Commit Check
Catch these footguns automatically before pushing code by running an open-source scanner in your terminal:
Bash
# Instantly flags open SGs, missing crypto, and wildcards
trivy config ./terraform-dir
What is your favorite CLI tool for catching cloud infrastructure bugs? Drop it in the comments! 👇 (Hit 🦄 if this reminded you to check your security groups today).
Top comments (0)