Hi eGov team,
My team at SolDevelo recently open-sourced an infrastructure auditor called InfraScan to help teams catch cloud cost anti-patterns and IaC security misconfigurations. We ran a baseline scan against the DIGIT-DevOps repository and wanted to share the findings, as there are some highly actionable "quick wins" for your AWS environments.
Report: https://infrascan.soldevelo.com/?scan_id=e7167cd4-e41e-4c55-b226-b1d77e111ea6
Overall, the infrastructure scored a 72.4% (C grade). While the Terraform foundation is robust, the scanner identified 484 potential issues across 150 scanned resources (25 High, 452 Medium).
💰 Cost Optimization Opportunities
- Missing AWS Budgets (High): 23 Terraform backend configurations lack AWS budget alerts. Adding these is a critical safeguard against unexpected cloud cost overruns.
- Old Generation Storage (Medium): The EKS node pools (
modules/node-pool/aws/main.tf) are still using gp2 EBS volumes. Migrating to gp3 is a simple parameter change that offers better baseline performance and an automatic 20% cost reduction.
- Expensive NAT Gateways (High): There are managed NAT Gateways provisioned. Depending on the environment's traffic, consolidating them or leveraging VPC Endpoints for AWS services could yield significant monthly savings.
- S3 Lifecycle Policies (Medium): 11 Terraform state buckets are missing lifecycle rules. Old state versions will accumulate indefinitely, increasing storage costs.
🔒 IaC Security & Compliance
- EKS Configurations: The scanner flagged that EKS public endpoints are not completely restricted (
0.0.0.0/0), and Secrets Encryption is not explicitly enabled.
- DynamoDB State Locks: Point-in-time recovery and KMS Customer Managed Keys (CMK) encryption are missing for the 11 Terraform state lock tables.
- S3 Best Practices: State buckets are missing explicit Public Access Blocks, cross-region replication, and access logging.
- Terraform Module Versioning: Many module sources are not pinned to a specific commit hash or version tag, which introduces a supply chain risk if upstream repositories change unexpectedly.
Proposed Solution & Automation
To help your contributors catch these types of misconfigurations before they are merged, you can integrate our open-source scanner directly into your CI/CD pipeline. It runs locally without needing any AWS credentials.
You can easily add this to your .github/workflows/ to automatically generate HTML reports on new Pull Requests:
name: InfraScan IaC Audit
on: [push, pull_request]
jobs:
infrascan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run InfraScan
run: |
docker run --rm \
-v ${{ github.workspace }}:/scan \
soldevelo/infrascan:latest \
--scanner comprehensive \
--format html \
--out /scan/infrascan-report.html
- name: Upload Security Report
uses: actions/upload-artifact@v4
if: always()
with:
name: infrascan-report
path: infrascan-report.htmlYou can find the tool's source code and documentation here: https://github.com/SolDevelo/InfraScan.
We are sharing this entirely pro bono to support the DIGIT ecosystem. If your team has any questions about these findings or would like assistance implementing some of these Terraform improvements, feel free to reach out!
Hi eGov team,
My team at SolDevelo recently open-sourced an infrastructure auditor called InfraScan to help teams catch cloud cost anti-patterns and IaC security misconfigurations. We ran a baseline scan against the
DIGIT-DevOpsrepository and wanted to share the findings, as there are some highly actionable "quick wins" for your AWS environments.Report: https://infrascan.soldevelo.com/?scan_id=e7167cd4-e41e-4c55-b226-b1d77e111ea6
Overall, the infrastructure scored a 72.4% (C grade). While the Terraform foundation is robust, the scanner identified 484 potential issues across 150 scanned resources (25 High, 452 Medium).
💰 Cost Optimization Opportunities
modules/node-pool/aws/main.tf) are still usinggp2EBS volumes. Migrating togp3is a simple parameter change that offers better baseline performance and an automatic 20% cost reduction.🔒 IaC Security & Compliance
0.0.0.0/0), and Secrets Encryption is not explicitly enabled.Proposed Solution & Automation
To help your contributors catch these types of misconfigurations before they are merged, you can integrate our open-source scanner directly into your CI/CD pipeline. It runs locally without needing any AWS credentials.
You can easily add this to your
.github/workflows/to automatically generate HTML reports on new Pull Requests:You can find the tool's source code and documentation here: https://github.com/SolDevelo/InfraScan.
We are sharing this entirely pro bono to support the DIGIT ecosystem. If your team has any questions about these findings or would like assistance implementing some of these Terraform improvements, feel free to reach out!