Terraform Architecture Review Checklist (CIS-Mapped, 2026)
A practitioner checklist for Terraform architecture reviews, organised by AWS Well-Architected Framework pillar. Each item is a verifiable check with a one-line rationale, mapped to CIS AWS Foundations Benchmark v3.0.0 where applicable.
5+ years AWS engineering · Open-source contributor
Last reviewed: 2026-05-27
A Terraform architecture review checklist gives a structured, repeatable way to evaluate infrastructure code against the AWS Well-Architected Framework. This checklist covers the highest-impact checks across Security, Reliability, Cost Optimization, and Operational Excellence — each item verifiable directly from the Terraform files.
Items are mapped to CIS AWS Foundations Benchmark v3.0.0 (where applicable) and the corresponding AWS Well-Architected Framework control. For the full guide on how to run a Terraform architecture review, see the full Terraform architecture review guide.
Security — Identity and Access Management
- Root account MFA enforcedCIS 1.5SEC 2
- No IAM users with active access keys older than 90 daysCIS 1.13SEC 3
- No IAM roles with Action: "*" or Resource: "*" wildcardsCIS 1.16SEC 2
- IAM password policy enforces minimum 14 charactersCIS 1.9SEC 2
- aws_iam_policy_document used instead of inline JSON stringsSEC 2
- EC2 instances use IMDSv2 only (http_tokens = "required")CIS 5.6SEC 2
Security — Detection
- CloudTrail enabled in all regions with multi-region trailCIS 3.1SEC 4
- CloudTrail log file validation enabledCIS 3.2SEC 4
- CloudWatch Logs integration enabled for CloudTrailCIS 3.4SEC 4
- GuardDuty enabled in all regionsCIS 3.8SEC 7
- VPC Flow Logs enabled on all VPCsCIS 3.7SEC 4
Security — Infrastructure Protection
- No security groups allow 0.0.0.0/0 on port 22 or 3389CIS 5.2 / 5.3SEC 5
- S3 bucket public access block enabled at account levelCIS 2.1.5SEC 5
- aws_security_group_rule preferred over inline rulesSEC 5
- EBS volumes encrypted at restCIS 2.2.1SEC 8
Security — Data Protection
- S3 buckets have server-side encryption configuredCIS 2.1.1SEC 8
- S3 bucket policies require TLS (aws:SecureTransport)CIS 2.1.2SEC 8
- KMS keys have enable_key_rotation = trueCIS 3.5SEC 8
- RDS instances have storage_encrypted = trueCIS 2.3.1SEC 8
- No secrets or credentials hardcoded in Terraform variablesSEC 3
Reliability — Change Management
- RDS instances have multi_az = true for productionREL 6
- RDS instances have deletion_protection = trueREL 9
- Auto Scaling Groups span at least two AZs with min_size ≥ 2REL 6
- Lambda functions have dead_letter_config for async event processingREL 9
- ECS services have desired_count ≥ 2 for production tasksREL 6
Reliability — Failure Management
- ALB and NLB health checks configured on all target groupsREL 5
- RDS automated backup retention period ≥ 7 daysREL 9
- S3 versioning enabled for buckets holding critical dataREL 9
- No single NAT Gateway serving multiple AZsREL 3
Cost Optimization
- All resources have Environment, Service, and Team tagsCOST 1
- S3 lifecycle policies configured for infrequently accessed dataCOST 5
- No unattached EBS volumes referenced in TerraformCOST 6
- CloudWatch billing alarms configuredCOST 7
- EC2 instance types right-sized for workload (no over-provisioned defaults)COST 5
Operational Excellence
- CloudWatch alarms on Lambda error rate and throttle countOPS 7
- ALB 5xx error rate alarm configuredOPS 7
- RDS CloudWatch alarms for CPU, FreeStorageSpace, and DatabaseConnectionsOPS 7
- CloudWatch Log Groups have explicit retention_in_days setOPS 7
- Terraform state stored remotely (S3 + DynamoDB lock)OPS 6
- SNS topics defined for alarm actionsOPS 11
Run this checklist automatically
ArchGuard checks your Terraform against the AWS Well-Architected Framework and returns a structured PDF report with findings, severity, and remediation HCL.