{"slug": "i-found-900-s3-buckets-exposing-terraform-state-files-41-had-live-aws", "title": "I found 900 S3 buckets exposing Terraform state files. 41 had live AWS credentials.", "summary": "A security researcher discovered 900 publicly accessible S3 buckets containing Terraform state files, 41 of which exposed live AWS credentials, after running a custom scanner for 72 hours on a $20 VPS. The exposed credentials included keys belonging to a healthcare company with 2 million patient records and a fintech firm processing $400 million annually. The researcher could not find security contacts at any of the affected companies and instead built an open-source GitHub Action to help organizations detect and prevent such exposures.", "body_md": "Security I found 900 S3 buckets exposing Terraform state files. 41 had live AWS credentials. Last updated: 2026/05/25 at 11:39 AM Piyush Gupta Share 4 Min Read $20 VPS. 72 hours. 900 buckets. 40 live AWS keys. (Screenshot is an AI-generated recreation for illustration. No real credentials are shown.) SHARE \n\n```\nI built a scanner that guesses S3 bucket names and looks for .tfstate files. Terraform state is a JSON file that happens to contain all your secrets because that is how Terraform works. I ran it for three days on a cheap VPS and found 900 state files. 40 of them had raw AWS keys sitting in plaintext. I could not find a single person to report this to at any of these companies.\nWhy I even started this\nI got into bug bounty last year and kept hitting walls. Companies with no security contact, auto-responders that go nowhere, reports that sit unread for months. I wanted to find something where the impact was obvious and the companies could not ignore it. Terraform state files kept coming up in writeups. People treat them like config files but they are actually secret vaults.\n\nBy default, terraform.tfstate contains everything including resource IDs, connection strings, and if you ever used aws_iam_access_key resources, the actual secret keys. Terraform warns you about this but nobody reads warnings.\nHow my scanner works\nI call it tfstate-scanner.\nThe seed wordlist comes from Crunchbase company names, DNS certificate transparency logs, and GitHub repo names. Then it permutes them into common patterns like {name}-terraform, {name}-tfstate, {name}-infrastructure, and {name}-devops.\nIt checks if {permutation}.s3.amazonaws.com resolves and if it does, it sends a HEAD request to /{permutation}/terraform.tfstate. If that returns 200, it parses the JSON for aws_access_key_id, password, private_key, and connection_string.\nThat is the whole thing. It only looks at what is already public.\n\nWhen I ran it\nI ran it for 72 hours on a $20 per month VPS. I kept it at 10 requests per second because I was not trying to DDoS anyone.\nMetricNumberBucket permutations checked4,200Valid .tfstate files found912Parseable JSON847Live AWS key pairs41Azure Service Principal secrets12GCP service account keys3\nI spot-checked 5 AWS keys and all of them were valid. One belonged to a healthcare company with 2 million patient records. Another belonged to a fintech processing $400M a year. I checked they worked with aws sts get-caller-identity and then I closed the terminal.\nWhat I built instead of reporting\nNone of these companies had a security contact. I tried security@, abuse@, and support@. They all bounced or sent auto-responders.\nI could have reported to AWS Abuse but they just suspend accounts with no remediation path. The company wakes up to a dead AWS account and no idea why. That does not help anyone fix anything.\nSo I built something else instead.\nI made terraform-state-guardian, a free GitHub Action that catches this before it happens. It scans your repo history for committed .tfstate files using git log --all -- '*.tfstate'. It checks if your S3 backend bucket is publicly listable. It validates that terraform { backend \"s3\" { encrypt = true } } is actually set. And it fails the CI build if state files are committed or encryption is missing.\nI open-sourced it and it got 3,400 stars in a week.\n\nThe healthcare company, the one with 2 million patient records, found it on GitHub and ran it. They discovered 6 other exposed buckets I had not even hit. They emailed me a thank-you. No bounty came out of it. They just fixed it and said thanks. I will take that.\nThe thing that still bugs me\nAWS does not tell you when your bucket is being scanned. I hit 4,200 bucket permutations and nobody got an alert. There is no CloudTrail event for someone checking if your bucket exists. There is no GuardDuty signal for repeated HEAD requests on .tfstate files. You only find out when someone worse than me finds it first.\n```\n\n TAGGED: AWS, Security, Terraform Share this Article Facebook Twitter Copy Link Print Leave a comment Leave a comment Leave a Reply Cancel replyYour email address will not be published. Required fields are marked *Comment * Name * Email * Website Save my name, email, and website in this browser for the next time I comment. Δ", "url": "https://wpnews.pro/news/i-found-900-s3-buckets-exposing-terraform-state-files-41-had-live-aws", "canonical_source": "https://vechron.com/2026/05/i-found-900-s3-buckets-exposing-terraform-state-files-41-had-live-aws-credentials/", "published_at": "2026-05-05 06:08:00+00:00", "updated_at": "2026-05-26 11:41:32.459060+00:00", "lang": "en", "topics": ["ai-infrastructure", "ai-safety", "ai-policy"], "entities": ["Terraform", "AWS", "Crunchbase", "GitHub", "Piyush Gupta"], "alternates": {"html": "https://wpnews.pro/news/i-found-900-s3-buckets-exposing-terraform-state-files-41-had-live-aws", "markdown": "https://wpnews.pro/news/i-found-900-s3-buckets-exposing-terraform-state-files-41-had-live-aws.md", "text": "https://wpnews.pro/news/i-found-900-s3-buckets-exposing-terraform-state-files-41-had-live-aws.txt", "jsonld": "https://wpnews.pro/news/i-found-900-s3-buckets-exposing-terraform-state-files-41-had-live-aws.jsonld"}}