Bird
Raised Fist0
Terraformcloud~20 mins

Terraform security scanning tools - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Terraform Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Identify the primary purpose of Terraform security scanning tools

What is the main goal of using security scanning tools with Terraform configurations?

ATo optimize the cost of cloud resources after deployment
BTo automatically deploy infrastructure without manual approval
CTo detect potential security risks and misconfigurations before deployment
DTo monitor real-time network traffic of deployed resources
Attempts:
2 left
💡 Hint

Think about what security scanning tools check in code before it runs.

service_behavior
intermediate
2:00remaining
Behavior of Terraform Sentinel policy when a security rule fails

In Terraform Cloud, if a Sentinel policy designed to block insecure resource configurations fails during a plan, what happens?

AThe Terraform plan is blocked and cannot be applied until the issue is fixed
BThe Terraform plan is applied but logs a warning message
CThe Terraform plan ignores the Sentinel policy and proceeds normally
DThe Terraform plan automatically fixes the insecure configuration
Attempts:
2 left
💡 Hint

Sentinel policies enforce rules before changes happen.

Configuration
advanced
2:00remaining
Detecting insecure AWS S3 bucket configuration with tfsec

Given the following Terraform snippet, which tfsec command output correctly identifies a public S3 bucket risk?

Terraform
resource "aws_s3_bucket" "example" {
  bucket = "my-public-bucket"
  acl    = "public-read"
}
AINFO: aws-s3-bucket-versioning: Bucket 'my-public-bucket' does not have versioning enabled
BERROR: aws-s3-enable-bucket-encryption: Bucket 'my-public-bucket' does not have encryption enabled
CWARNING: aws-s3-enable-bucket-encryption: Bucket 'my-public-bucket' has public read ACL, which is insecure
DWARNING: aws-s3-public-read-prohibited: Bucket 'my-public-bucket' has public read ACL, which is insecure
Attempts:
2 left
💡 Hint

Look for the tfsec rule that warns about public read ACLs.

Architecture
advanced
2:00remaining
Best architecture to integrate Terraform security scanning in CI/CD

Which architecture best integrates Terraform security scanning tools into a CI/CD pipeline to ensure security checks before deployment?

AInclude security scanning as a step after deployment to production
BAdd security scanning as a mandatory step after Terraform plan and before apply in the CI/CD pipeline
CRun security scanning tools only on completed Terraform apply in production
DRun security scanning tools as a pre-commit hook on developer machines only
Attempts:
2 left
💡 Hint

Think about when security checks should block unsafe changes.

security
expert
2:00remaining
Identifying the cause of a Terraform security scan failure with Checkov

Given this Terraform resource snippet, which Checkov rule failure explains why the scan fails?

resource "aws_security_group" "example" {
  name        = "allow_ssh"
  description = "Allow SSH inbound"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
ACKV_AWS_21: Security group allows ingress from 0.0.0.0/0 on port 22 (SSH) which is insecure
BCKV_AWS_52: Security group missing egress rules, blocking all outbound traffic
CCKV_AWS_70: Security group has no tags defined for resource tracking
DCKV_AWS_99: Security group uses deprecated protocol type
Attempts:
2 left
💡 Hint

Which rule warns about open SSH access from anywhere?

Practice

(1/5)
1. What is the main purpose of Terraform security scanning tools like tfsec?
easy
A. To monitor cloud resource usage costs
B. To deploy Terraform infrastructure automatically
C. To write Terraform code faster with autocomplete
D. To find security risks in Terraform code before deployment

Solution

  1. Step 1: Understand Terraform security scanning tools

    These tools analyze Terraform code to detect potential security issues early.

  2. Step 2: Compare options with tool purpose

    Only To find security risks in Terraform code before deployment matches the purpose of finding security risks before deployment.

  3. Final Answer:

    To find security risks in Terraform code before deployment -> Option D

  4. Quick Check:

    Security scanning = find risks [OK]
Hint: Security tools find risks in code before cloud setup [OK]
Common Mistakes:
  • Confusing scanning tools with deployment tools
  • Thinking scanning tools write code
  • Assuming scanning tools track costs
2. Which command correctly runs tfsec to scan your Terraform project in the current folder?
easy
A. tfsec scan terraform
B. terraform scan
C. tfsec .
D. terraform tfsec run

Solution

  1. Step 1: Recall tfsec usage syntax

    The correct way to run tfsec is by specifying the folder, commonly the current folder with a dot.

  2. Step 2: Match command to syntax

    Only tfsec . correctly runs tfsec on the current directory.

  3. Final Answer:

    tfsec . -> Option C

  4. Quick Check:

    Run tfsec with folder path, dot means current folder [OK]
Hint: Run tfsec with dot for current folder scan [OK]
Common Mistakes:
  • Using terraform commands instead of tfsec
  • Adding extra words like 'scan' or 'run'
  • Not specifying folder or using wrong syntax
3. Given this tfsec output snippet:
Warning: AWS S3 bucket is publicly accessible
  File: main.tf:12
  Severity: HIGH

What does this output mean?
medium
A. The S3 bucket in main.tf line 12 allows public access, which is risky
B. The S3 bucket is encrypted and secure
C. The S3 bucket is missing from the Terraform code
D. The S3 bucket is private and safe

Solution

  1. Step 1: Interpret tfsec warning message

    The warning says the S3 bucket is publicly accessible, which means anyone can access it.

  2. Step 2: Understand security implication

    Public access to S3 buckets is a high-risk security issue, so this is a warning to fix it.

  3. Final Answer:

    The S3 bucket in main.tf line 12 allows public access, which is risky -> Option A

  4. Quick Check:

    Public access warning = risky bucket [OK]
Hint: Warnings show risky settings like public access [OK]
Common Mistakes:
  • Thinking warning means bucket is secure
  • Confusing missing resource with public access
  • Ignoring file and line number details
4. You ran tfsec . but got an error: command not found: tfsec. What is the most likely fix?
medium
A. Run terraform init first
B. Install tfsec on your system and ensure it's in your PATH
C. Change directory to the Terraform root folder
D. Update Terraform version to latest

Solution

  1. Step 1: Understand the error meaning

    The error means the system cannot find the tfsec command, so it is not installed or not accessible.

  2. Step 2: Fix by installing tfsec and adding to PATH

    Installing tfsec and ensuring the command is available in the system PATH fixes this error.

  3. Final Answer:

    Install tfsec on your system and ensure it's in your PATH -> Option B

  4. Quick Check:

    Command not found = install tool [OK]
Hint: Install tfsec if command not found error appears [OK]
Common Mistakes:
  • Running terraform commands instead of installing tfsec
  • Assuming directory change fixes command not found
  • Updating Terraform version unrelated to tfsec error
5. You want to automate security scanning in your CI pipeline using tfsec. Which approach best ensures security issues are caught before deployment?
hard
A. Run tfsec . before Terraform apply and fail pipeline on warnings
B. Run tfsec . after Terraform apply to check deployed resources
C. Run terraform plan and ignore tfsec
D. Run tfsec . only on production branch merges

Solution

  1. Step 1: Understand when to run security scans

    Security scanning should happen before deployment to catch issues early.

  2. Step 2: Choose pipeline behavior to enforce security

    Failing the pipeline on warnings ensures no risky code is deployed.

  3. Step 3: Evaluate other options

    Running after apply is too late; ignoring tfsec misses risks; scanning only production branch misses early detection.

  4. Final Answer:

    Run tfsec . before Terraform apply and fail pipeline on warnings -> Option A

  5. Quick Check:

    Scan before deploy and fail on warnings [OK]
Hint: Scan before deploy and fail on warnings to block risks [OK]
Common Mistakes:
  • Running scans after deployment
  • Ignoring tfsec in pipeline
  • Scanning only production branch too late