Bird
Raised Fist0
Terraformcloud~10 mins

Why security matters in IaC in Terraform - Test Your Understanding

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to define a secure AWS S3 bucket with versioning enabled.

Terraform
resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-secure-bucket"
  versioning {
    enabled = [1]
  }
}
Drag options to blanks, or click blank then click option'
Atrue
Bfalse
Cnull
Denabled
Attempts:
3 left
💡 Hint
Common Mistakes
Setting versioning to false disables protection.
Using 'enabled' as a string causes errors.
2fill in blank
medium

Complete the code to restrict public access to the S3 bucket.

Terraform
resource "aws_s3_bucket_public_access_block" "block_public" {
  bucket = aws_s3_bucket.my_bucket.id
  [1] = true
}
Drag options to blanks, or click blank then click option'
Ablock_public_acls
Ballow_public_acls
Cenable_public_access
Dpublic_access_blocked
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'allow_public_acls' enables public access, which is insecure.
Using incorrect attribute names causes deployment errors.
3fill in blank
hard

Complete the code to create an IAM policy that denies all S3 actions.

Terraform
data "aws_iam_policy_document" "s3_deny_policy" {
  statement {
    effect = "Deny"
    actions = ["[1]"]
    resources = ["*"]
  }
}
Drag options to blanks, or click blank then click option'
A"s3:GetObject"
B"s3:PutObject"
C"s3:ListBucket"
D"s3:*"
Attempts:
3 left
💡 Hint
Common Mistakes
Denying only 's3:GetObject' does not restrict other actions.
Using 's3:PutObject' denies only upload, not all actions.
4fill in blank
hard

Fill both blanks to create a secure security group allowing only SSH from a specific IP.

Terraform
resource "aws_security_group" "ssh_access" {
  name        = "ssh_access"
  description = "Allow SSH only from office"

  ingress {
    from_port   = [1]
    to_port     = [2]
    protocol    = "tcp"
    cidr_blocks = ["203.0.113.0/32"]
  }
}
Drag options to blanks, or click blank then click option'
A22
B80
C443
D3389
Attempts:
3 left
💡 Hint
Common Mistakes
Using port 80 or 443 allows web traffic, not SSH.
Using different from_port and to_port values opens a range.
5fill in blank
hard

Fill all three blanks to define an IAM role with a trust policy for EC2 and attach a read-only policy.

Terraform
resource "aws_iam_role" "ec2_role" {
  name = "ec2_read_only_role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [{
      Effect = "Allow",
      Principal = { Service = "[1]" },
      Action = "sts:AssumeRole"
    }]
  })
}

resource "aws_iam_role_policy_attachment" "attach_read_only" {
  role       = aws_iam_role.ec2_role.name
  policy_arn = "[2]"
  depends_on = [aws_iam_role.ec2_role]
}

resource "aws_iam_policy" "read_only_policy" {
  name        = "ReadOnlyAccessCustom"
  description = "Custom read-only policy"
  policy      = jsonencode({
    Version = "2012-10-17",
    Statement = [{
      Effect = "Allow",
      Action = ["[3]"],
      Resource = "*"
    }]
  })
}
Drag options to blanks, or click blank then click option'
Aec2.amazonaws.com
Barn:aws:iam::aws:policy/ReadOnlyAccess
Cs3:GetObject
Dlambda.amazonaws.com
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'lambda.amazonaws.com' instead of EC2 service.
Using incorrect policy ARN or custom policy names.
Using write or full access actions instead of read-only.

Practice

(1/5)
1. Why is security important when using Infrastructure as Code (IaC) like Terraform?
easy
A. It allows anyone to change infrastructure without review.
B. It makes the code run faster.
C. It helps prevent unauthorized access and mistakes early.
D. It reduces the cost of cloud resources automatically.

Solution

  1. Step 1: Understand the role of security in IaC and compare options

    Security in IaC is designed to stop unauthorized access and prevent mistakes before they affect the infrastructure. Only "It helps prevent unauthorized access and mistakes early." correctly states the importance of security in preventing bad access and errors early.

  2. Final Answer:

    It helps prevent unauthorized access and mistakes early. -> Option C

  3. Quick Check:

    Security importance = Prevent unauthorized access [OK]
Hint: Security in IaC stops bad access and mistakes early [OK]
Common Mistakes:
  • Thinking security only improves speed
  • Believing security reduces costs automatically
  • Assuming security allows open access
2. Which Terraform code snippet correctly restricts access to a resource using a security group rule?
easy
A. resource "aws_security_group_rule" "allow_ssh" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.168.1.0/24"]
}
B. resource "aws_security_group_rule" "allow_ssh" {
type = "egress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.168.1.0/24"]
}
C. resource "aws_security_group_rule" "allow_ssh" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
D. resource "aws_security_group_rule" "allow_ssh" {
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["192.168.1.0/24"]
}

Solution

  1. Step 1: Identify the correct rule type, port for SSH access, and restricted CIDR

    SSH uses TCP port 22 and requires an ingress rule to allow incoming connections. resource "aws_security_group_rule" "allow_ssh" {
    type = "ingress"
    from_port = 22
    to_port = 22
    protocol = "tcp"
    cidr_blocks = ["192.168.1.0/24"]
    }     uses ingress, port 22, and restricts access to the 192.168.1.0/24 network, which is a limited range.

  2. Final Answer:

    Ingress rule allowing TCP port 22 from 192.168.1.0/24 -> Option A

  3. Quick Check:

    Correct port and restricted CIDR = resource "aws_security_group_rule" "allow_ssh" {
    type = "ingress"
    from_port = 22
    to_port = 22
    protocol = "tcp"
    cidr_blocks = ["192.168.1.0/24"]
    }     [OK]
Hint: SSH needs ingress on port 22 with limited CIDR [OK]
Common Mistakes:
  • Using egress instead of ingress for incoming access
  • Allowing open access with 0.0.0.0/0
  • Using wrong port like 80 for SSH
3. Given this Terraform snippet, what is the security risk? 
resource "aws_s3_bucket" "example" {
  bucket = "my-secure-bucket"
  acl    = "public-read"
}
medium
A. The bucket allows public read access, risking data exposure.
B. The bucket is private and secure.
C. The bucket has no encryption enabled.
D. The bucket name is invalid.

Solution

  1. Step 1: Understand the meaning of 'acl = "public-read"' and evaluate options

    This setting allows anyone on the internet to read the bucket contents, which is a security risk. "The bucket allows public read access, risking data exposure." correctly identifies the risk of public read access exposing data.

  2. Final Answer:

    The bucket allows public read access, risking data exposure. -> Option A

  3. Quick Check:

    Public-read ACL = Data exposure risk [OK]
Hint: Public-read ACL means open access to bucket data [OK]
Common Mistakes:
  • Assuming public-read means private
  • Ignoring encryption as the main risk here
  • Thinking bucket name causes security issues
4. This Terraform code has a security issue. What is it? 
resource "aws_security_group_rule" "allow_all" {
  type        = "ingress"
  from_port   = 0
  to_port     = 65535
  protocol    = "-1"
  cidr_blocks = ["0.0.0.0/0"]
}
medium
A. It only allows traffic on port 22.
B. It allows all inbound traffic from anywhere, which is unsafe.
C. It blocks all traffic, causing connectivity issues.
D. It uses an invalid protocol value.

Solution

  1. Step 1: Analyze the rule's port/protocol settings and CIDR block

    From port 0 to 65535 with protocol "-1" means all ports and all protocols are allowed. Allowing 0.0.0.0/0 means any IP address can access all ports, which is a major security risk.

  2. Final Answer:

    It allows all inbound traffic from anywhere, which is unsafe. -> Option B

  3. Quick Check:

    Open all ports to all IPs = Unsafe [OK]
Hint: Allowing 0.0.0.0/0 on all ports is unsafe [OK]
Common Mistakes:
  • Thinking it blocks traffic instead of allowing all
  • Assuming only port 22 is allowed
  • Believing protocol "-1" is invalid
5. You want to secure your Terraform-managed infrastructure by limiting access only to your office IP range 203.0.113.0/24. Which approach best follows security best practices?
hard
A. Set all security group ingress rules to allow 0.0.0.0/0 for simplicity.
B. Allow access from any IP but require a strong password.
C. Disable all security groups to avoid misconfiguration.
D. Use specific CIDR blocks like 203.0.113.0/24 in ingress rules and review regularly.

Solution

  1. Step 1: Identify the best way to restrict access and consider ongoing practices

    Limiting access to a specific IP range reduces exposure and follows the principle of least privilege. Regularly reviewing and testing security settings ensures they remain effective and updated.

  2. Final Answer:

    Use specific CIDR blocks like 203.0.113.0/24 in ingress rules and review regularly. -> Option D

  3. Quick Check:

    Restrict access + regular review = Best practice [OK]
Hint: Limit access by CIDR and review often [OK]
Common Mistakes:
  • Allowing open access for simplicity
  • Disabling security groups entirely
  • Relying only on passwords without network restrictions