IaC Audit — Find the Problems in Your Terraform Before They Find You

Our IaC audit covers four dimensions: security, structure, operations, and cost.

Security: We scan your code with Checkov, tfsec, and KICS to identify misconfigurations — public S3 buckets, overly permissive security groups, unencrypted storage, missing logging, IAM policies that violate least privilege. We also check for secrets in state files, variable defaults, and committed .tfvars files. Every finding includes the specific resource, the risk level, and the fix.

Structure: We evaluate your module architecture, directory layout, naming conventions, and code organization. Common problems include monolithic root modules with hundreds of resources, circular dependencies between modules, inconsistent variable naming, and missing output declarations that force consumers to look up resource attributes manually.

Operations: We review your state management (is it remote? encrypted? locked?), CI/CD pipeline (does it exist? does it run plan? does it require approval?), drift detection (do you know when someone changes things manually?), and documentation (can a new team member understand the codebase?).

Cost: We identify over-provisioned resources, missing auto-scaling, unused Elastic IPs, oversized RDS instances, and other cost optimization opportunities. We run Infracost against your code to establish a baseline and estimate savings from recommended changes.

We get read access to your IaC repository and cloud account (read-only IAM role). The audit takes 3-5 business days depending on codebase size. We run automated scanning tools first to establish a baseline of findings, then perform manual review for architectural issues that tools miss.

The deliverable is a prioritized findings report with three tiers: Critical (security vulnerabilities, data exposure risks), Important (operational risks, structural problems that will slow the team), and Recommended (best practices, cost optimizations, code quality improvements). Each finding includes the current state, the risk, the recommended fix, and an estimated effort level.

After delivering the report, we implement the fixes. Critical findings are addressed first, typically within the same engagement. We submit changes as pull requests against your repository with clear descriptions of what changed and why. We do not make changes outside the PR workflow — your team reviews and approves everything.

For large codebases requiring significant refactoring (splitting monolithic modules, migrating state between backends, restructuring directory layouts), we scope the work as a follow-up migration engagement with a clear plan and timeline.

After auditing dozens of Terraform codebases, patterns emerge. Here are the most common issues we find:

• Secrets in state — database passwords, API keys, or TLS certificates stored as plaintext in Terraform state. The fix is migrating to aws_secretsmanager_secret or aws_ssm_parameter data sources.
• No state locking — S3 backend without DynamoDB locking table, allowing concurrent applies that corrupt state. Five-minute fix with huge risk reduction.
• Wildcard IAM policies — "Action": "*" or "Resource": "*" in IAM policies attached to application roles. We scope these down to minimum required permissions.
• No lifecycle rules — critical databases and S3 buckets without prevent_destroy, one terraform destroy away from data loss.
• Hardcoded values — AMI IDs, instance types, CIDR blocks, and account IDs hardcoded instead of using data sources and variables.
• Orphaned resources — resources in the cloud that are not in Terraform state, and resources in state that no longer exist. State cleanup reduces confusion and plan noise.