criticalInfrastructure

AWS S3 Bucket With Public Access Enabled

What Is This Vulnerability?

An AWS S3 bucket configured with public access allows anyone on the internet to list, read, or even write objects in the bucket. This frequently leads to massive data breaches when sensitive files such as database backups, user records, or internal documents are stored in a bucket that was never intended to be public.

Why It Happens

Developers often set buckets to public during initial development or testing and forget to restrict access before deploying to production. Legacy bucket policies, overly broad ACLs, and confusing AWS console defaults also contribute. Some teams disable the S3 Block Public Access settings at the account level without understanding the consequences.

Example Code

Vulnerablemain.tf
resource "aws_s3_bucket" "data_backup" {
  bucket = "company-data-backup"
}

resource "aws_s3_bucket_acl" "data_backup_acl" {
  bucket = aws_s3_bucket.data_backup.id
  acl    = "public-read"
}
Fixedmain.tf
resource "aws_s3_bucket" "data_backup" {
  bucket = "company-data-backup"
}

resource "aws_s3_bucket_public_access_block" "data_backup_block" {
  bucket = aws_s3_bucket.data_backup.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

resource "aws_s3_bucket_acl" "data_backup_acl" {
  bucket = aws_s3_bucket.data_backup.id
  acl    = "private"
}

How Hackers Exploit It

Attackers use automated scanners like BucketFinder or GrayhatWarfare to discover publicly accessible S3 buckets. Once found, they enumerate all objects, download sensitive data such as credentials and PII, or upload malicious files. In some cases, they can modify existing objects to inject malware into software supply chains.

How to Fix It

Enable S3 Block Public Access at both the account and bucket level. Audit all bucket policies and ACLs to ensure no public grants exist. Use AWS Config rules like s3-bucket-public-read-prohibited to continuously monitor for misconfigurations. Apply the principle of least privilege and use IAM policies or pre-signed URLs for controlled access.

Frequently Asked Questions

How do I check if my S3 bucket is public?
Use the AWS CLI command 'aws s3api get-bucket-acl' and 'aws s3api get-bucket-policy' to inspect permissions. AWS also provides the Access Analyzer for S3, which highlights buckets with public or cross-account access. The S3 console shows a warning badge next to public buckets.
Can S3 Block Public Access override existing ACLs?
Yes. When you enable S3 Block Public Access, it overrides any existing ACL or bucket policy that would grant public access. It acts as a guardrail at either the bucket or account level, preventing accidental exposure regardless of individual policy settings.
What data has been leaked from public S3 buckets?
Notable incidents include leaks of voter records, military intelligence files, hospital patient data, and millions of user credentials. Companies like Capital One, Verizon, and the U.S. Department of Defense have all been affected by public S3 bucket misconfigurations.

Related Security Topics

Docker Socket Exposed to Containers

Learn about docker socket exposed to containers and how to fix it.

Admin Panel Accessible Without Authentication

Learn about admin panel accessible without authentication and how to fix it.

Debug Mode Enabled in Production

Learn about debug mode enabled in production and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by aws s3 bucket with public access enabled.