0
0
Terraformcloud~10 mins

Why security matters in IaC in Terraform - Test Your Understanding

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to define a secure AWS S3 bucket with versioning enabled.

Terraform
resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-secure-bucket"
  versioning {
    enabled = [1]
  }
}
Drag options to blanks, or click blank then click option'
Atrue
Bfalse
Cnull
Denabled
Attempts:
3 left
💡 Hint
Common Mistakes
Setting versioning to false disables protection.
Using 'enabled' as a string causes errors.
2fill in blank
medium

Complete the code to restrict public access to the S3 bucket.

Terraform
resource "aws_s3_bucket_public_access_block" "block_public" {
  bucket = aws_s3_bucket.my_bucket.id
  [1] = true
}
Drag options to blanks, or click blank then click option'
Ablock_public_acls
Ballow_public_acls
Cenable_public_access
Dpublic_access_blocked
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'allow_public_acls' enables public access, which is insecure.
Using incorrect attribute names causes deployment errors.
3fill in blank
hard

Complete the code to create an IAM policy that denies all S3 actions.

Terraform
data "aws_iam_policy_document" "s3_deny_policy" {
  statement {
    effect = "Deny"
    actions = ["[1]"]
    resources = ["*"]
  }
}
Drag options to blanks, or click blank then click option'
A"s3:GetObject"
B"s3:PutObject"
C"s3:ListBucket"
D"s3:*"
Attempts:
3 left
💡 Hint
Common Mistakes
Denying only 's3:GetObject' does not restrict other actions.
Using 's3:PutObject' denies only upload, not all actions.
4fill in blank
hard

Fill both blanks to create a secure security group allowing only SSH from a specific IP.

Terraform
resource "aws_security_group" "ssh_access" {
  name        = "ssh_access"
  description = "Allow SSH only from office"

  ingress {
    from_port   = [1]
    to_port     = [2]
    protocol    = "tcp"
    cidr_blocks = ["203.0.113.0/32"]
  }
}
Drag options to blanks, or click blank then click option'
A22
B80
C443
D3389
Attempts:
3 left
💡 Hint
Common Mistakes
Using port 80 or 443 allows web traffic, not SSH.
Using different from_port and to_port values opens a range.
5fill in blank
hard

Fill all three blanks to define an IAM role with a trust policy for EC2 and attach a read-only policy.

Terraform
resource "aws_iam_role" "ec2_role" {
  name = "ec2_read_only_role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [{
      Effect = "Allow",
      Principal = { Service = "[1]" },
      Action = "sts:AssumeRole"
    }]
  })
}

resource "aws_iam_role_policy_attachment" "attach_read_only" {
  role       = aws_iam_role.ec2_role.name
  policy_arn = "[2]"
  depends_on = [aws_iam_role.ec2_role]
}

resource "aws_iam_policy" "read_only_policy" {
  name        = "ReadOnlyAccessCustom"
  description = "Custom read-only policy"
  policy      = jsonencode({
    Version = "2012-10-17",
    Statement = [{
      Effect = "Allow",
      Action = ["[3]"],
      Resource = "*"
    }]
  })
}
Drag options to blanks, or click blank then click option'
Aec2.amazonaws.com
Barn:aws:iam::aws:policy/ReadOnlyAccess
Cs3:GetObject
Dlambda.amazonaws.com
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'lambda.amazonaws.com' instead of EC2 service.
Using incorrect policy ARN or custom policy names.
Using write or full access actions instead of read-only.