S3 state backend without encryption
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A backend "s3" block does not set encrypt = true, so the remote state object, which typically holds secrets, is written without server-side encryption enforced by Terraform.
Why it matters
A backend "s3" block without encrypt = true does not enforce server-side encryption on the remote state object. Because state stores secrets in clear text, an unencrypted state object exposes them to anyone who can read the bucket or a backup of it. Enabling encryption is a one-line change.
How to fix it
Add encrypt = true to the S3 backend block, and set a kms_key_id for a customer-managed key when you want auditable, revocable access to state. Lock down the state bucket with a restrictive policy and a public access block, and enable versioning on it. Combine with DynamoDB locking to prevent concurrent-write corruption.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo