infra-security-review

# Infrastructure Security Review Patterns

Security checklists and grep patterns for reviewing IaC code. Use these patterns when verifying infrastructure security.

## Security Checklists

### State Backend Security

| Check | Severity | Pattern |
|-------|----------|---------|
| S3 bucket without encryption | Critical | `encrypt = false` or missing |
| Missing state locking | High | No DynamoDB table configured |
| Public bucket policy | Critical | `block_public_*` not all true |
| Missing versioning | Medium | `versioning` not enabled |

### Secret Exposure

| Check | Severity | Pattern |
|-------|----------|---------|
| Hardcoded AWS keys | Critical | `AKIA[0-9A-Z]{16}` |
| Hardcoded passwords | Critical | `password\s*=\s*"[^"]+[^}]"` |
| Database credentials in code | Critical | `DATABASE_URL` with password |
| API keys in variables | High | `api_key`, `secret_key` defaults |

### Network Security

| Check | Severity | Pattern |
|-------|----------|---------|
| SSH open to world | Critical | `0.0.0.0/0` on port 22 |
| Database publicly accessible | Critical | Missing `private_network_uuid` |
| Wide CIDR ranges | Medium | `/8`, `/16` on public resources |
| Missing firewall | High | Droplet without firewall resource |

### Compute Security

| Check | Severity | Pattern |
|-------|----------|---------|
| Root login enabled | High | `PermitRootLogin yes` in cloud-init |
| Password auth enabled | Medium | `PasswordAuthentication yes` |
| Missing SSH hardening | Low | No `ClientAliveInterval` config |
| No monitoring | Low | `monitoring = false` |

### Database Security

| Check | Severity | Pattern |
|-------|----------|---------|
| Public database access | Critical | No database firewall rules |
| No VPC attachment | High | Missing `private_network_uuid` |
| Weak version | Medium | Old database engine versions |
| Single node for production | Low | `node_count = 1` in prod |

### Storage Security

| Check | Severity | Pattern |
|-------|----------|---------|
| Publ