Will It Vibe logoWill It Vibe?
TF-029Medium severity-8 points

S3 state backend without encryption

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A backend "s3" block does not set encrypt = true, so the remote state object, which typically holds secrets, is written without server-side encryption enforced by Terraform.

Why it matters

A backend "s3" block without encrypt = true does not enforce server-side encryption on the remote state object. Because state stores secrets in clear text, an unencrypted state object exposes them to anyone who can read the bucket or a backup of it. Enabling encryption is a one-line change.

How to fix it

Add encrypt = true to the S3 backend block, and set a kms_key_id for a customer-managed key when you want auditable, revocable access to state. Lock down the state bucket with a restrictive policy and a public access block, and enable versioning on it. Combine with DynamoDB locking to prevent concurrent-write corruption.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks