Cloud Storage Misconfiguration
detect, understand, remediate
Misconfigured cloud storage buckets (AWS S3, Google Cloud Storage, Azure Blob) with public access are a leading cause of large-scale data breaches, exposing sensitive files to the internet.
No credit card required. Free plan available forever.
What is cloud storage misconfiguration?
Cloud storage misconfiguration occurs when cloud storage buckets (such as Amazon S3, Google Cloud Storage, or Azure Blob Storage) are configured with overly permissive access policies that expose data to the public internet. This can lead to massive data leaks, as anyone who discovers the bucket URL can list, read, or even modify its contents.
Misconfigured cloud buckets have been responsible for some of the largest data breaches in history, exposing billions of records containing personal information, financial data, healthcare records, and proprietary business documents. The scale of these breaches is amplified by the ease of discovery, as automated tools continuously scan cloud provider IP ranges for publicly accessible buckets.
The root cause is often a combination of complex IAM policies, default settings that may not be secure by default, and a lack of visibility into who has access to what. As organisations migrate more data to the cloud, the attack surface grows with every new bucket or container created without proper access controls.
How it works
Discover public buckets
Attackers use automated tools to enumerate cloud storage URLs by brute-forcing common naming patterns or scanning known cloud provider IP ranges.
Check access permissions
The attacker tests the bucket for public list, read, and write permissions by making unauthenticated API requests.
Browse and download data
With public read access, the attacker lists all objects in the bucket and downloads sensitive files, including databases, backups, credentials, and personal data.
Exploit or sell data
Stolen data is used for identity theft, sold on dark web marketplaces, used for extortion, or leveraged to gain deeper access to the organisation's infrastructure.
Common causes
Public access defaults
Some cloud storage configurations default to public access or make it easy to accidentally enable public permissions during bucket creation.
Overpermissive bucket policies
IAM and bucket policies that grant broad access (e.g. Principal: "*") expose data to anyone on the internet.
No access monitoring
Without access logging and monitoring, organisations have no visibility into who is accessing their buckets or when public exposure occurs.
Shared access signatures too broad
Pre-signed URLs or shared access signatures with excessive permissions, long expiration times, or no IP restrictions grant unintended access.
How to detect it
Automated detection
- SecPortal's external scanner identifies publicly accessible cloud storage buckets associated with your domains and subdomains
- Cloud security posture management (CSPM) tools continuously audit bucket policies and flag public access configurations
- AWS S3 Block Public Access, GCP organisation policies, and Azure storage firewalls provide built-in detection and prevention
Manual testing
- Attempt to list bucket contents using unauthenticated API requests or CLI tools (aws s3 ls, gsutil ls)
- Review IAM policies and bucket ACLs for overly permissive principals, especially "AllUsers" or "AllAuthenticatedUsers"
- Check access logging to identify unexpected external access patterns to cloud storage resources
How to fix it
Block public access by default
Enable account-level and bucket-level public access blocks (e.g. S3 Block Public Access) to prevent accidental public exposure of any bucket.
Use IAM policies for fine-grained access
Replace broad bucket ACLs with IAM policies that grant specific permissions to specific principals. Follow the principle of least privilege.
Enable access logging
Turn on server access logging and CloudTrail/Cloud Audit Logs for all storage buckets to maintain a complete record of who accessed what and when.
Scan for public buckets regularly
Run automated scans across your cloud accounts to identify any buckets with public access. Integrate checks into your CI/CD pipeline for infrastructure-as-code.
Implement bucket-level encryption
Enable server-side encryption with customer-managed keys for all buckets, providing an additional layer of protection even if access controls are bypassed.
Compliance impact
Related vulnerabilities
Detect exposed cloud storage
SecPortal checks for misconfigured S3, GCS, and Azure storage buckets as part of every external scan. Start free.
No credit card required. Free plan available forever.