SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
critical Infrastructure

Cloud Storage Exposure

Cloud storage buckets — AWS S3, Azure Blob Storage, Google Cloud Storage — are frequently misconfigured to allow public read or write access. Publicly readable buckets expose sensitive files. Publicly writable buckets allow attackers to upload malware or deface your content.

What SecurityStatus Checks

  • Whether S3 buckets associated with your domain are publicly accessible
  • Whether bucket names follow guessable patterns (company-name-backups, domain-com-assets)
  • Whether the bucket policy allows public read or write access
  • Whether bucket listing is enabled (allows seeing all files)

Why This Matters

The Capital One breach (100 million records) was caused by a misconfigured S3 bucket and IAM role. The Twitch leak (125GB) was an S3 bucket misconfiguration. These are not isolated incidents — cloud storage misconfigurations are discovered weekly and expose everything from customer databases to internal source code.

How to Fix It

  1. 1

    Enable Block Public Access at the account level

    In AWS: S3 > Block Public Access (bucket settings) > enable all four options for every bucket, and also at the account level in S3 > Block Public Access settings for this account. This prevents future accidental public access.

  2. 2

    Audit existing bucket policies and ACLs

    Use AWS Trusted Advisor or the AWS Security Hub to audit all buckets. Check each bucket's permissions tab and remove any public access entries. Run `aws s3api list-buckets` and check each with `aws s3api get-bucket-acl`.

  3. 3

    Disable bucket listing

    Never grant s3:ListBucket to *, even on otherwise public buckets. Bucket listing allows attackers to enumerate all files and identify sensitive content.

  4. 4

    Use presigned URLs for file sharing

    Instead of making buckets or files public, generate presigned URLs with an expiry time. This allows temporary access to specific files without making anything permanently public.

  5. 5

    Set up AWS CloudTrail and S3 access logging

    Enable CloudTrail and S3 server access logging to detect unusual access patterns. Set up alerts for high volume downloads from any IP other than your application servers.

Frequently Asked Questions

What if I need some files to be publicly accessible?
Host public assets (images, JS, CSS) in a separate bucket dedicated only to public files with a clear naming convention. Keep all other buckets private. Never mix public and private content in the same bucket.
Are Azure Blob containers and GCS buckets the same risk?
Yes. All three major cloud providers have had notable public bucket incidents. Azure: set container access level to Private. GCS: use Uniform Bucket-Level Access and remove allUsers and allAuthenticatedUsers bindings.
Can I detect if my bucket was accessed?
Yes, via S3 server access logs or CloudTrail. Enable these if you have not already. Look for unauthorized GetObject requests, especially from unusual IP addresses.

Related Guides

critical Sensitive File Exposure Read Guide critical Open Port Scanner Read Guide high GitHub Secret Scan Read Guide

Check Your Domain Now

Run all 38 security checks including Cloud Storage Exposure and get your domain's security grade in under 2 minutes.

Scan Your Domain Free