保護DataHogo
Security Encyclopedia/Cloud Provider Security
criticalCWE-284OWASP A05:2021

S3 Bucket Public Access

Your S3 bucket is publicly readable due to a public ACL, disabled Block Public Access settings, or a wildcard bucket policy — anyone on the internet can list and download your files.

How It Works

AWS S3 buckets are private by default, but a single misconfiguration makes them world-readable. This can happen via a public ACL on the bucket or individual objects, a bucket policy with Principal: '*', or disabling the Block Public Access account-level setting. Automated scanners discover public buckets within hours. The result: every file you've ever uploaded is downloadable by anyone.

Vulnerable Code
// BAD: bucket created with public-read ACL (Terraform)
resource "aws_s3_bucket_acl" "example" {
  bucket = aws_s3_bucket.example.id
  acl    = "public-read"  // makes all objects publicly readable
}

// Also BAD: disabling block public access
resource "aws_s3_bucket_public_access_block" "example" {
  bucket                  = aws_s3_bucket.example.id
  block_public_acls       = false  // allows public ACLs
  block_public_policy     = false  // allows public bucket policies
}
Secure Code
// GOOD: enforce private access and block all public access
resource "aws_s3_bucket_public_access_block" "example" {
  bucket                  = aws_s3_bucket.example.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}
// Use pre-signed URLs to grant temporary access to specific objects

Real-World Example

In 2019, Capital One had 100 million customer records exposed from an S3 bucket via an SSRF vulnerability — but the underlying issue was that the bucket was accessible from an EC2 instance with excessive permissions. In 2020, Twitch's source code leak was partially attributed to misconfigured S3 buckets. Public S3 buckets have exposed data from hundreds of major companies.

How to Prevent It

  • Enable S3 Block Public Access at the AWS account level — this prevents any bucket from being made public
  • Never use public-read or public-read-write ACLs — use pre-signed URLs for temporary object access instead
  • Audit bucket policies for Principal: '*' which grants public access
  • Enable AWS S3 server access logging and CloudTrail to detect unauthorized access
  • Use AWS Config rule s3-bucket-public-read-prohibited to continuously monitor for public buckets

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Cloud Metadata SSRF

critical

Your app fetches user-supplied URLs without blocking cloud metadata endpoints like 169.254.169.254, letting attackers steal your cloud credentials via SSRF.

CWE-918OWASP A10:2021

AWS Credentials Hardcoded

critical

AWS access keys (starting with AKIA) or secret access keys are hardcoded in your source code, giving anyone who reads the code full access to your AWS account.

CWE-798OWASP A02:2021

IAM Overly Permissive Policy

high

Your IAM policy uses Action: '*' or Resource: '*', granting far more permissions than needed and turning any credential leak into a full account takeover.

CWE-269OWASP A01:2021

Cloud Storage CORS Misconfiguration

medium

Your S3 or GCS bucket has CORS configured with origin: '*' or AllowedMethods: ['*'], letting any website read your storage responses and potentially access private data.

CWE-942OWASP A05:2021