In 2025, more than 1 in 5 cloud breaches began with an exposed S3 bucket. In fact, a leading cybersecurity report cites that 23% of major cloud breaches occur due to misconfiguration of public cloud storages. A Cloud Security Alliance (CSA) report found that 21% of publicly exposed S3 buckets contained sensitive data, including PII, financial records, and medical information. Let me walk through you to an incident reported by Security Daily Review, which will signify the importance of securing unprotected or public s3 bucket-
Incident: Threat actors exploited misconfigured AWS cloud instances and sensitive data stored in their unprotected S3 bucket, such as credentials and API keys, which are enough to create havoc.
Malicious Actors: The blog pointed out that the responsible groups behind it were Nemesis and ShinyHunters hackers groups.
Impact: Sensitive and confidential data contained in millions of websites were revealed, which also included login credentials, source code, and infrastructure secrets.
Considering the importance of securing your S3 buckets, we, at Cy5, created a crisp and stealthy DIY document, 15-min AWS Cloud Posture Check, allowing you to check the security parameters and exposures of AWS clouds. Taking a cue from the same document, here, in this blog, we are going to walk through simple commands to find exposed public S3 buckets and secure them.
You May Check: Top 5 Strategies to Minimize Cloud Attack Surface in 2025
Why S3 Bucket Exposure Happens
Common misconfigurations leading to such a scenario are –
- ACL grants AllUsers or AuthenticatedUsers READ.
- Bucket policy allows Principal:”*” with Action:”s3:GetObject” and Condition left empty.
- Block Public Access disabled at account or bucket level.
- Replication from a secure bucket to a new, unsecured destination.
Also Read: Cloud Security Best Practices for 2025
10-Min Public S3 Bucket Security Audit Workflow
The following is a step-by-step workflow curated with the help of Cy5’s DIY – 15-Min AWS Cloud Posture Check. This workflow will help you to nitpick minute gaps that could lead to humungous security breaches.
Step 1: List Every Bucket
bash
aws s3api list-buckets --query 'Buckets[].Name' --output textStore the names in a temp file for quick looping.
Step 2 – Flag Buckets With Public ACLs
Loop through each name and test the ACL for the dangerous global group:
bash
while read bucket; do
if aws s3api get-bucket-acl --bucket "$bucket" \
--query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`]' \
--output text | grep -q 'READ'; then
echo "⚠️ PUBLIC ACL: $bucket"
fi
done < bucket-list.txtThe query targets the AllUsers URI, instantly surfacing READ or WRITE exposure.
Step 3 – Catch Policy-Based Exposure
Objects may still leak via a permissive bucket policy even if ACLs look fine:
bash
aws s3api get-bucket-policy --bucket "$bucket" --query 'Policy' --output text \
| jq '.Statement[] | select(.Principal=="*" and .Effect=="Allow")' \
| grep -q '"s3:GetObject"' && echo "⚠️ PUBLIC POLICY: $bucket"Step 4 – Verify Account-Level Block Public Access
bash
aws s3control get-public-access-block \
--account-id $(aws sts get-caller-identity --query Account --output text) \
--query "PublicAccessBlockConfiguration"Every field should return true. Anything less is an open invitation.
Step 5 – One-Command Remediation
bash
aws s3api put-public-access-block \
--bucket "$bucket" \
--public-access-block-configuration \
BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=trueLoop through every flagged bucket to close gaps at scale.
Relevant Read: Vulnerability Management in Cloud Security: A Complete Guide for 2025
Going Further: Cy5’s ion Cloud Security Platform
AWS Config Rules
Enable s3-bucket-public-read-prohibited and s3-bucket-public-write-prohibited. Non-compliant buckets surface in the dashboard within minutes.
CloudWatch Alarms for Risky API Calls
bash
Metric: AWS/S3 → BucketLevelOperations → PutBucketAcl
Alarm: threshold ≥1 within 5 minutes
Action: SNS notification to SecOpsBehavior-Based Correlation
A simple rule inspired by the Cy5 checklist :
python
if bucket_public and data_transfer_gb > 10:
risk = "CRITICAL"Trigger an incident response workflow the moment an attacker starts mass-exfiltrating data.
Common Pitfalls to Avoid
- Presigned URLs linger. Use short expiries and revoke leaked URLs by rotating the object’s key.
- Cross-account sharing gone rogue. Always scope ARN principals tightly.
- Terraform drift. Add prevent_destroy and run policy diff tools in CI to catch accidental exposure.
Scaling the Audit Enterprise-Wide
- AWS Organizations & SCPs – Deny any S3 operation that changes public-access settings except from an approved admin role.
- Delegated Admin Accounts – Centralize Config and GuardDuty so every new child account inherits the guardrails automatically.
Tag-Driven Exceptions – If a bucket must be public (e.g., static website), tag it purpose=public-site and scope SCP exclusions by tag to prevent blanket blocks.
A Crucial Topic to Explore: How to Use Entity-Driven Analytics for Threat Detection
Compliance & Encryption Tie-Ins
Regulations like GDPR and HIPAA lean heavily on encryption-at-rest:
bash
aws s3api get-bucket-encryption --bucket "$bucket" || echo "❌ NO ENCRYPTION"Pair that with RDS (StorageEncrypted flag) and EBS volume checks to keep auditors happy.
Proactive Identity Hardening
Leaked buckets often coincide with overprivileged IAM users. Run a quick admin-rights sweep:
bash
aws iam list-roles --query 'Roles[?contains(Path,`/`)].RoleName' --output text \
| while read role; do
aws iam list-attached-role-policies --role-name "$role" --output text \
| grep -q AdministratorAccess" && echo "⚠️ ADMIN ROLE: $role"
doneThen prune or split broad roles into least-privilege policies.
Have You Heard About? New CERT-In Guidelines 2025: Key Takeaways for Cloud Security Compliance
Download the Full 15-Minute Cloud Exposure Checklist
Ready to cover S3 and databases, EKS, IAM, encryption, and logging? Grab Cy5’s expert community-prepared DIY – 15-Min CLI checks for AWS Cloud Posture, adapted from live audit engagements.
FAQs: Public S3 Buckets in AWS
To make an AWS S3 bucket public for scenarios like static websites, edit the bucket policy to allow “s3:GetObject” for Principal:”*”. Disable Block Public Access settings first. However, for s3 bucket security audit best practices, limit this to specific objects and monitor with AWS Config to avoid risks like data leaks from open s3 buckets.
Access a public AWS S3 bucket via its URL (e.g., http://bucket-name.s3.amazonaws.com/object-key). If configured with AllUsers READ ACL or a public policy, anyone can browse or download objects. Always perform an aws s3 public bucket check to confirm exposure and secure against unauthorized access.
Use AWS CLI: Run aws s3api get-bucket-acl --bucket your-bucket --query 'Grants[?Grantee.URI==http://acs.amazonaws.com/groups/global/AllUsers`]’` to find open s3 buckets. If it returns READ permissions, it’s public. For a full s3 bucket security audit, also verify bucket policies and Block Public Access status.
Go through the following steps-
1. Enable Block Public Access
Run the following AWS CLI command to block all forms of public access:
2. Restrict Bucket Policies
Adjust bucket or object policies to only allow access from trusted IP ranges or AWS principals.
3. Add Encryption
Enable default encryption to protect your data at rest.
No, AWS S3 buckets are private by default with Block Public Access enabled at creation. Misconfigurations like adding AllUsers ACLs or wildcard policies (e.g., 0.0.0.0/0) can expose them, so regular aws s3 public bucket check is essential for maintaining security.
Grant full access by attaching a policy like {“Effect”:”Allow”,”Principal”:”“,”Action”:”s3:“,”Resource”:”arn:aws:s3:::your-bucket/*”}. Use cautiously—opt for least privilege. For s3 bucket security audit, audit with CLI to detect over-permissions and secure public s3 buckets against risks.
Allow external access via a bucket policy with Principal:”*” and Action:”s3:GetObject”, optionally conditioned on IP ranges (not 0.0.0.0/0 for safety). Disable relevant Block Public Access flags. To find open s3 buckets, run periodic checks and monitor for unauthorized external traffic.
For a public object, use the format https://s3.amazonaws.com/your-bucket/object-key. Ensure the bucket policy permits public reads. In an aws s3 public bucket check, verify this doesn’t expose sensitive data—secure with short-lived presigned URLs for controlled sharing.
A basic public access policy: {“Version”:”2012-10-17″,”Statement”:[{“Effect”:”Allow”,”Principal”:”“,”Action”:”s3:GetObject”,”Resource”:”arn:aws:s3:::your-bucket/“}]}. This enables reads from anywhere, but pair it with Block Public Access overrides. For s3 bucket security audit, scan for such policies to mitigate exposure risks.
