Skip to content

IaC Security Standard

Trivy Config scans Terraform source for public exposure, weak encryption, permissive IAM, missing logging, insecure network rules, and other provider-specific controls.

Findings are assessed before apply. Production infrastructure does not rely on post-deployment remediation for known critical misconfiguration. Custom policies may be introduced for Nexa requirements such as mandatory tags, approved regions, encryption keys, private endpoints, and logging destinations.

Suppressions are closest to the affected resource, documented, and time-bound. A module-wide suppression that hides unrelated resources is prohibited.