RSS

I built a scanner that found 41 live AWS keys in 900 Terraform state files

GeorgeWoff251 pts0 comments

I found 900 S3 buckets exposing Terraform state files. 41 had live AWS credentials.

Notification<br>Show More

Latest News

I reproduced a Claude Code RCE. The bug pattern is everywhere.

Tech

I found 900 S3 buckets exposing Terraform state files. 41 had live AWS credentials.

Security

I poisoned a Hugging Face dataset and it stayed up for 6 months.

Tech

Anthropic files lawsuit against Pentagon over AI blacklist and Claude restrictions

Business

Marjorie Taylor Greene: You’re all being ‘incited into civil war’

Politics<br>Law

Aa

Vechron

Aa

Home

Politics

Search

Follow US

$20 VPS. 72 hours. 900 buckets. 40 live AWS keys. (Screenshot is an AI-generated recreation for illustration. No real credentials are shown.)

SHARE

I built a scanner that guesses S3 bucket names and looks for .tfstate files. Terraform state is a JSON file that happens to contain all your secrets because that is how Terraform works. I ran it for three days on a cheap VPS and found 900 state files. 40 of them had raw AWS keys sitting in plaintext. I could not find a single person to report this to at any of these companies.

Why I even started this

I got into bug bounty last year and kept hitting walls. Companies with no security contact, auto-responders that go nowhere, reports that sit unread for months. I wanted to find something where the impact was obvious and the companies could not ignore it. Terraform state files kept coming up in writeups. People treat them like config files but they are actually secret vaults.

By default, terraform.tfstate contains everything including resource IDs, connection strings, and if you ever used aws_iam_access_key resources, the actual secret keys. Terraform warns you about this but nobody reads warnings.

How my scanner works

I call it tfstate-scanner.

The seed wordlist comes from Crunchbase company names, DNS certificate transparency logs, and GitHub repo names. Then it permutes them into common patterns like {name}-terraform, {name}-tfstate, {name}-infrastructure, and {name}-devops.

It checks if {permutation}.s3.amazonaws.com resolves and if it does, it sends a HEAD request to /{permutation}/terraform.tfstate. If that returns 200, it parses the JSON for aws_access_key_id, password, private_key, and connection_string.

That is the whole thing. It only looks at what is already public.

When I ran it

I ran it for 72 hours on a $20 per month VPS. I kept it at 10 requests per second because I was not trying to DDoS anyone.

MetricNumberBucket permutations checked4,200Valid .tfstate files found912Parseable JSON847Live AWS key pairs41Azure Service Principal secrets12GCP service account keys3

I spot-checked 5 AWS keys and all of them were valid. One belonged to a healthcare company with 2 million patient records. Another belonged to a fintech processing $400M a year. I checked they worked with aws sts get-caller-identity and then I closed the terminal.

What I built instead of reporting

None of these companies had a security contact. I tried security@, abuse@, and support@. They all bounced or sent auto-responders.

I could have reported to AWS Abuse but they just suspend accounts with no remediation path. The company wakes up to a dead AWS account and no idea why. That does not help anyone fix anything.

So I built something else instead.

I made terraform-state-guardian, a free GitHub Action that catches this before it happens. It scans your repo history for committed .tfstate files using git log --all -- '*.tfstate'. It checks if your S3 backend bucket is publicly listable. It validates that terraform { backend "s3" { encrypt = true } } is actually set. And it fails the CI build if state files are committed or encryption is missing.

I open-sourced it and it got 3,400 stars in a week.

The healthcare company, the one with 2 million patient records, found it on GitHub and ran it. They discovered 6 other exposed buckets I had not even hit. They emailed me a thank-you. No bounty came out of it. They just fixed it and said thanks. I will take that.

The thing that still bugs me

AWS does not tell you when your bucket is being scanned. I hit 4,200 bucket permutations and nobody got an alert. There is no CloudTrail event for someone checking if your bucket exists. There is no GuardDuty signal for repeated HEAD requests on .tfstate files. You only find out when someone worse than me finds it first.

TAGGED:<br>AWS, Security, Terraform

Share this Article

Facebook

Twitter Copy Link<br>Print

Leave a comment<br>Leave a comment

Leave a Reply Cancel reply<br>Your email address will not be published. Required fields are marked *<br>Comment *<br>Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

You Might Also Like

Tech

I poisoned a Hugging Face dataset and it stayed up for 6 months.

Piyush Gupta

May 23, 2026

Removed from reading list

Undo

Welcome Back!<br>Sign in to your account

Username or Email Address

Password

Remember Me

Lost your password?

terraform files tfstate state name found

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.