Post

Securing Terraform with Checkov: My First Governance Hardening Pass

Posted
By Yogesh Shankar Gandal
2 min read
Securing Terraform with Checkov: My First Governance Hardening Pass

๐Ÿ” Context: As part of my DevSecOps learning journey (Epic 21: Governance & Policy as Code), I wanted to enforce security best practices in a live Terraform project. The goal was to use Checkov to scan my Infrastructure as Code (IaC) and apply necessary fixes to improve compliance, visibility, and confidence in what I was deploying.

๐Ÿงฑ Scenario Before Scan

I began with a basic Terraform setup that provisioned:

  • A VPC
  • A public subnet
  • A security group allowing SSH
  • A single EC2 instance with default settings

๐Ÿšจ Initial Risks Detected by Checkov

1

checkov -d .

Results:

  • โœ… Passed Checks: 9
  • โŒ Failed Checks: 11

Examples:

  • SSH open to 0.0.0.0/0
  • Egress open to all traffic
  • No description fields
  • EBS not encrypted
  • No CloudWatch monitoring
  • IMDSv1 enabled
  • No IAM role for EC2
  • Public IP assigned automatically
  • VPC Flow Logs disabled

๐Ÿ”ง Fixes Made (Batch-Wise)

๐Ÿ” Batch 1: Security Group Tightening

  • Allowed SSH only from trusted IP
  • Restricted egress to port 443 (HTTPS)
  • Added description fields to rules

๐Ÿ’พ Batch 2: EC2 Instance Hardening

  • Enabled CloudWatch monitoring
  • Encrypted EBS root volume
  • Enforced IMDSv2
  • EBS optimization enabled
  • Commented iam_instance_profile (will add later)

๐ŸŒ Batch 3: Network & VPC Adjustments

  • Disabled map_public_ip_on_launch
  • Deferred VPC Flow Logs setup

๐Ÿงช Terraform Workflow Used

1
2

terraform plan -out secure.plan
terraform apply secure.plan

โœ… Avoided blind changes โ€” DevSecOps habit formed!

๐Ÿ“Š After Fixes: Checkov Re-scan

1

checkov -d .

Result:

  • โœ… Passed: 17
  • โŒ Failed: 3 (deferred by design)

Remaining issues:

  • IAM role missing โ†’ planned in Task 21.5
  • VPC flow logs โ†’ Task 21.7
  • Default security group โ†’ not used

๐Ÿง  Key Learnings

  • Policy-as-Code reveals hidden risks
  • IMDSv2 + encryption = huge upgrade
  • Organizing fixes into batches = clarity
  • terraform plan -out = must-use
  • DevSecOps = awareness + tooling + design

๐Ÿ“ Whatโ€™s Next?

  • Write custom OPA policy for EBS encryption
  • Checkov scan for S3 bucket policies
  • Add IAM role with least privilege
  • Enable VPC Flow Logs with IAM
  • Blog each fix as a security pattern

Thanks for reading. May your pipelines be green, your infra be tagged, and your security posture be strong!

๐Ÿ”— Explore my other blogs at opsbygandal.dev
๐Ÿ“ Check out the GitHub repo [https://github.com/gandalops/portfolio-chirpy]
๐Ÿ”„ Letโ€™s connect on LinkedIn

blog
terraform checkov devsecops security governance policy-as-code
This post is licensed under CC BY 4.0 by the author.