0
0
Terraformcloud~20 mins

Terraform security scanning tools - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Terraform Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Identify the primary purpose of Terraform security scanning tools

What is the main goal of using security scanning tools with Terraform configurations?

ATo optimize the cost of cloud resources after deployment
BTo automatically deploy infrastructure without manual approval
CTo detect potential security risks and misconfigurations before deployment
DTo monitor real-time network traffic of deployed resources
Attempts:
2 left
💡 Hint

Think about what security scanning tools check in code before it runs.

service_behavior
intermediate
2:00remaining
Behavior of Terraform Sentinel policy when a security rule fails

In Terraform Cloud, if a Sentinel policy designed to block insecure resource configurations fails during a plan, what happens?

AThe Terraform plan is blocked and cannot be applied until the issue is fixed
BThe Terraform plan is applied but logs a warning message
CThe Terraform plan ignores the Sentinel policy and proceeds normally
DThe Terraform plan automatically fixes the insecure configuration
Attempts:
2 left
💡 Hint

Sentinel policies enforce rules before changes happen.

Configuration
advanced
2:00remaining
Detecting insecure AWS S3 bucket configuration with tfsec

Given the following Terraform snippet, which tfsec command output correctly identifies a public S3 bucket risk?

Terraform
resource "aws_s3_bucket" "example" {
  bucket = "my-public-bucket"
  acl    = "public-read"
}
AINFO: aws-s3-bucket-versioning: Bucket 'my-public-bucket' does not have versioning enabled
BERROR: aws-s3-enable-bucket-encryption: Bucket 'my-public-bucket' does not have encryption enabled
CWARNING: aws-s3-enable-bucket-encryption: Bucket 'my-public-bucket' has public read ACL, which is insecure
DWARNING: aws-s3-public-read-prohibited: Bucket 'my-public-bucket' has public read ACL, which is insecure
Attempts:
2 left
💡 Hint

Look for the tfsec rule that warns about public read ACLs.

Architecture
advanced
2:00remaining
Best architecture to integrate Terraform security scanning in CI/CD

Which architecture best integrates Terraform security scanning tools into a CI/CD pipeline to ensure security checks before deployment?

AInclude security scanning as a step after deployment to production
BAdd security scanning as a mandatory step after Terraform plan and before apply in the CI/CD pipeline
CRun security scanning tools only on completed Terraform apply in production
DRun security scanning tools as a pre-commit hook on developer machines only
Attempts:
2 left
💡 Hint

Think about when security checks should block unsafe changes.

security
expert
2:00remaining
Identifying the cause of a Terraform security scan failure with Checkov

Given this Terraform resource snippet, which Checkov rule failure explains why the scan fails?

resource "aws_security_group" "example" {
  name        = "allow_ssh"
  description = "Allow SSH inbound"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
ACKV_AWS_21: Security group allows ingress from 0.0.0.0/0 on port 22 (SSH) which is insecure
BCKV_AWS_52: Security group missing egress rules, blocking all outbound traffic
CCKV_AWS_70: Security group has no tags defined for resource tracking
DCKV_AWS_99: Security group uses deprecated protocol type
Attempts:
2 left
💡 Hint

Which rule warns about open SSH access from anywhere?