I built a scanner that found 41 live AWS keys in 900 Terraform state files
14 hours ago
- #i
- #a
- #S
- #d
- #
- #t
- #o
- #m
- #e
- #,
- #T
- #r
- #y
- #C
- #l
- #f
- #u
- #c
- A scanner was built to guess S3 bucket names and locate exposed Terraform state files (.tfstate), which contain sensitive data like AWS keys, due to how Terraform works by default.
- Running the scanner for 72 hours on a budget VPS at a low request rate uncovered 912 valid state files, with 41 containing live AWS keys, including those of high-stakes companies in healthcare and fintech.
- Attempts to report the security issues to affected companies failed due to lack of responsive security contacts, and reporting to AWS Abuse was avoided as it might lead to account suspension without proper remediation.
- Instead of traditional reporting, a solution called terraform-state-guardian was created—a free GitHub Action that prevents exposure by scanning for committed state files and ensuring S3 bucket encryption, gaining significant open-source traction.
- A major concern remains that AWS provides no alerts for bucket scanning activities, leaving companies unaware of potential exposures until malicious actors discover them.