Terraform Security — tfsec, Checkov, and Sentinel Vocabulary
Learn vocabulary for Terraform security scanning: tfsec, Checkov, and Sentinel policies.
0 / 5 completed
1 / 5
What is tfsec?
tfsec is a static analysis tool that scans Terraform configuration files for security misconfigurations (e.g., S3 buckets without encryption, security groups open to the world).
2 / 5
What is Checkov in IaC security?
Checkov scans IaC files (Terraform, CloudFormation, Kubernetes YAML, etc.) for security and compliance violations using built-in rules and custom policies.
3 / 5
What is HashiCorp Sentinel?
Sentinel is HashiCorp's policy-as-code framework for Terraform Cloud and Enterprise. It allows organisations to enforce governance policies (e.g., 'no internet-facing resources without approval') as code.
4 / 5
What is 'least privilege' in Terraform provider configuration?
Least privilege means the IAM user/role used by Terraform has only the specific permissions needed to manage the resources it controls — reducing the blast radius of credential compromise.
5 / 5
What does 'sensitive = true' on a Terraform variable or output do?
sensitive = true prevents the value from being shown in terraform plan and apply output. Note: it is still stored in state (potentially in plaintext), so state should be encrypted separately.