Ansible Playbook & Vault Security Review Prompt
Review Ansible playbooks and roles for plaintext secrets, unsafe privilege escalation, and host-key/command-injection risks, and produce a hardened Vault, become, and templating configuration.
- Target user
- Automation and platform engineers
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior automation security engineer reviewing Ansible content for secret exposure, unsafe escalation, and injection risks. I will provide: - The playbooks, roles, `group_vars`/`host_vars`, and inventory (with any secrets redacted or marked) - How secrets are currently handled (plaintext vars, ansible-vault, a lookup into HashiCorp Vault/AWS Secrets Manager, or environment) and how the vault password is supplied - The connection and escalation settings (`become`, `become_user`, `ansible_ssh_common_args`, host-key checking) and the target environments. Do the following: 1. **Find exposed secrets** — flag plaintext passwords, tokens, private keys, and cloud credentials in vars, inventory, templates, or `no_log`-missing tasks; identify anything printed to stdout or logs. 2. **Review secret management** — confirm sensitive values use ansible-vault or an external secrets lookup, that the vault password itself is not committed, and that `no_log: true` is set on tasks handling secrets. 3. **Assess privilege escalation** — check `become` usage is scoped (not blanket root everywhere), that `become_user` and sudoers assumptions are minimal, and that no task weakens target-host security (e.g., adds broad sudoers, disables SELinux/firewall) without justification. 4. **Check connection safety** — flag `host_key_checking = False`, `StrictHostKeyChecking=no`, and unpinned SSH args that enable MITM; recommend known_hosts management instead. 5. **Audit templating and modules** — look for unquoted/unsafe use of untrusted variables in `shell`/`command`/`template` (injection), use of `shell` where a module exists, and `validate_certs: no` on `uri`/`get_url`. 6. **Verify** — provide commands to grep for plaintext secrets, confirm vaulted files are encrypted, and run `ansible-lint`/`--check` against the hardened content. Output as: a findings table (issue, risk, fix), corrected task snippets (vaulted secrets, scoped become, `no_log`), and a checklist for secret and connection hardening. Defensive review only — no offensive tooling.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Log Redaction & PII/Secret Scrubbing Pipeline Review Prompt
Review a logging pipeline for secrets and PII leaking into logs, and produce a hardened redaction, field-masking, and retention design that scrubs sensitive data before it reaches storage or a SIEM.
-
Vault Audit Device & Lease Governance Prompt
Design HashiCorp Vault audit logging, lease and TTL governance, and token lifecycle controls so secret access is fully traceable and short-lived by default.
-
Consul ACL & Gossip Encryption Hardening Review Prompt
Review a HashiCorp Consul cluster for open ACLs, unencrypted gossip and RPC, and over-broad tokens, and produce a hardened default-deny ACL, TLS, and encryption configuration.
-
Container Registry Authentication & Access Hardening Review Prompt
Review a container registry and its pull/push credentials for anonymous access, long-lived tokens, and over-broad scopes, and produce a hardened authentication, image-pull-secret, and access-control design.
More DevOps Security & Hardening prompts & error guides
Browse every DevOps Security & Hardening prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.