Public S3 Buckets and Objects
Description
S3 buckets with public access allow anyone on the internet to list or read objects. Common causes include legacy object ACLs granting AllUsers/AuthenticatedUsers, permissive bucket policies, Access Points with broad policies, and account‑level Block Public Access (BPA) being disabled. Public buckets often expose PII, credentials, logs, and code artifacts.
Examples
Check Block Public Access and ACL/Policy
aws s3api get-public-access-block --bucket <bucket>
aws s3api get-bucket-acl --bucket <bucket>
aws s3api get-bucket-policy-status --bucket <bucket>
aws s3control get-public-access-block --account-id <account-id>
aws s3api get-bucket-ownership-controls --bucket <bucket>
If PublicAccessBlockConfiguration is missing/false or policy status is IsPublic: true, the bucket may be public.
Attempt Anonymous Access
aws s3 ls s3://<bucket>/ --no-sign-request
aws s3 cp s3://<bucket>/<object> - --no-sign-request
Listing or reading without credentials proves exposure.
Use Access Analyzer for S3
aws accessanalyzer list-findings --analyzer-name <org-or-account-analyzer> \
--filter '{"resourceType":{"eq":["AWS::S3::Bucket"]}}'
Findings that grant public or cross‑account access indicate risk.
Remediation
- Enable Block Public Access at account and bucket level.
- Remove
AllUsers/AuthenticatedUsersgrants from ACLs; prefer bucket policies over ACLs. - Enforce bucket ownership and least privilege
- Enable S3 Object Ownership (Bucket owner enforced) to disable ACLs; narrow bucket policies to specific principals, require TLS, use
aws:PrincipalOrgID, and condition on VPC endpoints.
- Enable S3 Object Ownership (Bucket owner enforced) to disable ACLs; narrow bucket policies to specific principals, require TLS, use
- Front with CloudFront securely
- Use CloudFront with Origin Access Control (OAC) and bucket policies that deny direct S3 access; keep BPA enabled.
- Continuous monitoring
- Enable Access Analyzer and Amazon Macie to detect public buckets and sensitive data exposure.