Expected Findings
- S3 bucket policy allows `s3:ListBucket` and `s3:GetObject` to `*`.
- `terraform.tfstate` contains resource attributes including database passwords.
- State file outputs leak production hostnames and IAM role ARNs.
IaC State
Terraform State Leak
An S3 bucket holding Terraform state is configured for public read, so the state file's resources, outputs, and inline secrets are listable and downloadable.
CWE-538CWE-200
State probe
Primary Flows
- Bucket listing Public list
- State file Full state with secrets
- Bucket policy Wildcard principal
Signals
Bucket
{"Effect":"Allow","Principal":"*","Action":["s3:GetObject","s3:ListBucket"]}