I built a scanner that found 41 live AWS keys in 900 Terraform state files
A security researcher discovered 41 live AWS keys in 900 Terraform state files while scanning S3 buckets. The researcher created a scanner to identify these vulnerabilities after facing challenges reporting them to companies. As a solution, they developed an open-source tool to prevent such exposures in the future.
- ▪The researcher found 900 S3 buckets containing Terraform state files, with 41 having live AWS credentials.
- ▪They created a scanner called tfstate-scanner that checks for publicly accessible Terraform state files.
- ▪After failing to report the vulnerabilities to companies, they developed terraform-state-guardian, a GitHub Action to prevent such exposures.
Opening excerpt (first ~120 words) tap to expand
Vechron > Security > I found 900 S3 buckets exposing Terraform state files. 41 had live AWS credentials. Security I found 900 S3 buckets exposing Terraform state files. 41 had live AWS credentials. Last updated: 2026/05/25 at 11:39 AM Piyush Gupta Share 4 Min Read $20 VPS. 72 hours. 900 buckets. 40 live AWS keys. (Screenshot is an AI-generated recreation for illustration. No real credentials are shown.) SHARE I built a scanner that guesses S3 bucket names and looks for .tfstate files. Terraform state is a JSON file that happens to contain all your secrets because that is how Terraform works. I ran it for three days on a cheap VPS and found 900 state files. 40 of them had raw AWS keys sitting in plaintext. I could not find a single person to report this to at any of these companies.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Vechron.
Discussion
0 commentsMore from Vechron
