The 30 Terraform Cloud security checks Black Cat runs
Black Cat SSPM evaluates 30 security policies against your Terraform Cloud configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Enable mandatory two-factor authentication for all organization members
Configure SAML SSO to enforce centralized identity provider authentication
Reduce the session timeout to 24 hours or less to limit exposure from abandoned sessions
Reduce the number of broad organization-level permissions granted to the team
Downgrade the team's workspace access from admin to a least-privilege level such as write or read
Change team visibility from secret to organization to improve governance transparency
Require the user to enable two-factor authentication or enforce 2FA at the organization level
Resend or revoke pending user invitations that have not been accepted
change management
Disable auto-apply to require manual approval before infrastructure changes are applied
Disable destroy plan permission to prevent accidental infrastructure deletion
configuration
Disable force-delete to prevent accidental or malicious removal of workspaces with resources
Change the default execution mode to remote to enable centralized state management and audit logging
Connect the workspace to a VCS repository to enable GitOps workflows and change traceability
Enable drift detection to automatically detect infrastructure changes outside of Terraform
Upgrade the workspace to use Terraform 1.5.0 or later to receive security fixes and new features
Disable priority override on the variable set to prevent silent overriding of workspace-level variables
data security
Restrict remote state sharing to specific workspaces instead of all workspaces
infrastructure security
Restrict the agent pool to specific workspaces rather than making it available organization-wide
Restrict the VCS connection to specific workspaces to limit credential exposure
Configure an HMAC key on the run task to authenticate requests from Terraform Cloud
Change the run task enforcement level from advisory to mandatory to block non-compliant runs
Add an HMAC token to the generic webhook notification to verify the authenticity of incoming payloads
Review whether the SSH key is still in use and rotate or remove it if not required
policy enforcement
Change the Sentinel policy enforcement level from advisory to hard-mandatory or soft-mandatory
Disable the overridable flag on the policy set to prevent workspace owners from bypassing policies
Expand the policy set to apply globally or ensure all workspaces are explicitly covered
Add policies to the empty policy set or remove it if it is no longer needed
secrets management
Mark variables with sensitive names as sensitive to prevent plaintext exposure in logs and UI
Restrict the variable set scope to specific workspaces rather than the entire organization
Immediately rotate the exposed credential and re-create the variable as sensitive