S3 Website and Origin Misconfigurations

Description

Static website buckets and S3 origins fronted by CloudFront can unintentionally expose private content if origin access isn’t restricted (no OAI/OAC) or website hosting is left public with permissive policies. Direct S3 access can bypass CloudFront authentication/authorization layers.

Examples

Check Website and Origin Policies

aws s3api get-bucket-website --bucket <bucket>
aws s3api get-bucket-policy --bucket <bucket>
aws cloudfront get-distribution-config --id <distribution-id>

If website hosting is enabled with permissive policies, objects may be public.

Test direct S3 origin bypass

curl -I https://<bucket>.s3.amazonaws.com/<key>

If direct S3 requests succeed while CloudFront is expected to gate access, the origin is misconfigured.

Remediation

Disable website hosting on private data buckets.
Use CloudFront Origin Access Control (preferred) or OAI and bucket policies that allow only CloudFront to read; explicitly deny direct access.
Keep Block Public Access enabled and remove permissive policies; for public websites, segregate content and use least‑privileged policies.

Haxoris Wiki

S3 Website and Origin Misconfigurations

Description

Examples

Check Website and Origin Policies

Test direct S3 origin bypass

Remediation