Dynamic Security Testing
Dynamic Security Testing
Dynamic testing analyzes IaC behavior during planning or simulated deployment, catching issues that static analysis misses. By examining the actual changes IaC will make, dynamic testing identifies vulnerabilities arising from variable resolution, conditional logic, or complex resource interactions.
Plan analysis extracts security insights from Terraform plans or CloudFormation change sets. These plans show exactly what resources will be created, modified, or destroyed. Security tools can analyze plans to identify risky changes before they execute. This approach catches issues like accidental resource deletion or privilege escalation that might not be apparent in static code.
#!/bin/bash
# terraform_plan_security.sh - Security analysis of Terraform plans
set -euo pipefail
# Generate Terraform plan
terraform init -backend=true
terraform plan -out=tfplan.binary
# Convert to JSON for analysis
terraform show -json tfplan.binary > tfplan.json
# Run security analysis on plan
echo "=== Analyzing Terraform Plan for Security Issues ==="
# Check for resource deletions
echo -n "Checking for resource deletions... "
deletion_count=$(jq '[.resource_changes[] | select(.change.actions[] == "delete")] | length' tfplan.json)
if [ "$deletion_count" -gt 0 ]; then
echo "WARNING: Plan will delete $deletion_count resources"
jq -r '.resource_changes[] | select(.change.actions[] == "delete") | "\(.address) - \(.type)"' tfplan.json
else
echo "OK"
fi
# Check for security group changes
echo -n "Checking for security group modifications... "
sg_changes=$(jq '[.resource_changes[] | select(.type == "aws_security_group" and .change.actions[] == "update")] | length' tfplan.json)
if [ "$sg_changes" -gt 0 ]; then
echo "WARNING: Plan modifies $sg_changes security groups"
jq -r '.resource_changes[] | select(.type == "aws_security_group" and .change.actions[] == "update") | .address' tfplan.json
else
echo "OK"
fi
# Check for IAM changes
echo -n "Checking for IAM modifications... "
iam_changes=$(jq '[.resource_changes[] | select(.type | startswith("aws_iam_") and .change.actions[] != "read")] | length' tfplan.json)
if [ "$iam_changes" -gt 0 ]; then
echo "WARNING: Plan modifies $iam_changes IAM resources"
jq -r '.resource_changes[] | select(.type | startswith("aws_iam_") and .change.actions[] != "read") | "\(.address) - \(.change.actions[])"' tfplan.json
else
echo "OK"
fi
# Run OPA policy evaluation
echo "=== Running OPA Policy Evaluation ==="
opa eval -d policies/ -i tfplan.json "data.terraform.deny[_]" --format pretty
# Check for drift
echo "=== Checking for Configuration Drift ==="
drift_resources=$(terraform plan -detailed-exitcode 2>&1 | grep -c "has changed outside of Terraform" || true)
if [ "$drift_resources" -gt 0 ]; then
echo "WARNING: $drift_resources resources have drifted from IaC definitions"
fi
# Generate security report
cat > security-report.json <<EOF
{
"scan_timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
"plan_file": "tfplan.json",
"findings": {
"deletions": $deletion_count,
"security_group_changes": $sg_changes,
"iam_changes": $iam_changes,
"drift_detected": $drift_resources
},
"status": $([ "$deletion_count" -eq 0 ] && [ "$iam_changes" -eq 0 ] && echo '"passed"' || echo '"failed"')
}
EOF
echo "Security analysis complete. Report saved to security-report.json"
Sandbox deployment testing creates temporary environments for comprehensive security validation. These ephemeral environments allow full IaC execution with security monitoring. Automated tests can verify network isolation, validate encryption implementation, and confirm access controls work as intended.