Hello!
We recently analyzed the Terraform configuration in this repository using InfraScan (an infrastructure analysis tool developed by SolDevelo).
Since Artemis is a security-focused tool, we wanted to highlight a few opportunities to further harden the underlying infrastructure configuration to align with strict compliance standards (like CIS/SOC2), as well as improve long-term maintenance.
🛡️ Security Hardening (Encryption)
The scan identified several resources where encryption-at-rest could be explicitly enforced or upgraded to use KMS CMKs. In enterprise environments, relying on defaults often creates compliance findings.
- SQS Queues: ~15 queues (e.g.,
audit-event-queue, repo-queue) do not appear to have Server-Side Encryption (SSE) explicitly enabled in the modules.
- Secrets Manager: Several secrets (24 locations) are using default keys instead of explicit KMS Customer Managed Keys, which gives finer control over access policies.
- CloudWatch Logs: Log groups could be configured with KMS encryption to protect sensitive scan logs.
🧹 Maintenance & Cost
- S3 Lifecycle Rules: Buckets such as
heimdall_files and analyzer_files appear to lack lifecycle configuration.
- Impact: Without expiration or transition rules (e.g., to Glacier), scan artifacts and logs will accumulate indefinitely, leading to unnecessary storage costs ("cost creep") for self-hosted users.
You can view the full, interactive report with detailed findings and specific file locations here:
👉 View Full InfraScan Report for artemis
About this Report
This report was generated automatically by InfraScan v1.0.1. We are sharing this as part of our beta program to support open-source projects in maintaining efficient and secure infrastructure.
We hope you find these insights useful! Please leave feedback on the report, whether the tool is useful, and suggestions for future improvements to such a tool.
Best regards,
SolDevelo Team
Hello!
We recently analyzed the Terraform configuration in this repository using InfraScan (an infrastructure analysis tool developed by SolDevelo).
Since Artemis is a security-focused tool, we wanted to highlight a few opportunities to further harden the underlying infrastructure configuration to align with strict compliance standards (like CIS/SOC2), as well as improve long-term maintenance.
🛡️ Security Hardening (Encryption)
The scan identified several resources where encryption-at-rest could be explicitly enforced or upgraded to use KMS CMKs. In enterprise environments, relying on defaults often creates compliance findings.
audit-event-queue,repo-queue) do not appear to have Server-Side Encryption (SSE) explicitly enabled in the modules.🧹 Maintenance & Cost
heimdall_filesandanalyzer_filesappear to lack lifecycle configuration.You can view the full, interactive report with detailed findings and specific file locations here:
👉 View Full InfraScan Report for artemis
About this Report
This report was generated automatically by InfraScan v1.0.1. We are sharing this as part of our beta program to support open-source projects in maintaining efficient and secure infrastructure.
We hope you find these insights useful! Please leave feedback on the report, whether the tool is useful, and suggestions for future improvements to such a tool.
Best regards,
SolDevelo Team