๐งฑ Terraform Top 10 Misconfigurations
Intro: Terraform problems are rarely โTerraform problems.โ They are usually cloud security mistakes that became repeatable, scalable, and easy to redeploy. That is why misconfigurations in Terraform deserve their own treatment.
What this page includes
- top 10 repeated Terraform security failures
- why they matter
- short remediation notes
| # | Misconfiguration | Why it matters | Short fix |
|---|---|---|---|
| 1 | Hardcoded secrets or tokens in variables or files | Secrets leak into repos, state, and logs | Move to secret managers and sensitive inputs |
| 2 | Remote state not protected | State can expose sensitive values and be tampered with | Use secured remote backend with locking and strict IAM |
| 3 | Overbroad IAM in modules | One bad module pattern spreads everywhere | Create reviewed module baselines and policy checks |
| 4 | Public exposure by default in network modules | Scales internet-facing mistakes rapidly | Require explicit justification for public resources |
| 5 | No policy checks in CI | Drift and risky patterns merge too easily | Add Checkov / Conftest / Sentinel / native policy gates |
| 6 | No plan review discipline | Dangerous changes land without human context | Require plan artifacts and peer review for sensitive changes |
| 7 | Excessive use of admin roles for automation | Automation compromise becomes account compromise | Use scoped deployment roles |
| 8 | Ignoring provider and module version hygiene | Inconsistent or risky behavior across environments | Pin and review versions intentionally |
| 9 | Suppression comments with no expiry | Exceptions become permanent | Require owner, reason, and expiry |
| 10 | State access broader than code access | People who cannot safely change infra can still read sensitive state | Restrict state access separately |