How to remediate – Amazon S3 Bucket Detected

Contents

1. Introduction

Amazon S3 buckets are used for storing data in the cloud. If not configured correctly, they can be publicly accessible, allowing unintended access to sensitive information. This affects web applications that use S3 storage and could lead to data breaches, financial loss, or reputational damage. A public bucket poses a risk to confidentiality, integrity, and availability of stored data.

2. Technical Explanation

The root cause is often overly permissive access control policies on the S3 bucket itself, or objects within it. Attackers can exploit this by directly accessing the bucket’s contents via a URL if public read permissions are granted. No authentication is required for access.

Root cause: Incorrectly configured bucket or object permissions allowing public access.
Exploit mechanism: An attacker discovers the bucket name and uses its public URL to list files or download objects directly. For example, an attacker could use a tool like `curl` or simply navigate to the bucket’s URL in a web browser.
Scope: Any AWS account using Amazon S3 buckets with publicly accessible permissions.

3. Detection and Assessment

You can check if your S3 buckets are public using the AWS Management Console or command-line tools. Regularly scanning your AWS environment is also recommended.

Quick checks: In the AWS console, navigate to S3, select a bucket, go to Permissions tab and review Block Public Access settings.
Scanning: Use AWS Security Hub or third party scanners like Wiz, Orca, or Prisma Cloud to identify publicly accessible buckets. These tools often provide signature IDs for this issue.
Logs and evidence: Check AWS CloudTrail logs for `GetObject`, `ListBucket` operations originating from public sources (e.g., any IP address). Look for event names related to S3 bucket policy changes.

aws s3api get-bucket-acl --bucket your-bucket-name

4. Solution / Remediation Steps

Ensure that the detected Amazon S3 bucket is already identified in the assets used by the web applications, and that the permissions are defined according to its expected purpose and to the AWS security best practices.

4.1 Preparation

Ensure you have appropriate IAM permissions to modify bucket policies. Roll back plan: Restore the original bucket policy from the snapshot.
Changes should be approved by the security team or system owner.

4.2 Implementation

Step 1: Review the current bucket policy using the AWS Management Console or CLI.
Step 2: If public access is enabled, block all public access using the “Block Public Access” settings in the S3 console.
Step 3: Verify that blocking public access does not disrupt legitimate application functionality.
Step 4: For buckets requiring specific public access, grant permissions only to authorized IAM roles or users, avoiding wildcard (*) permissions.

4.3 Config or Code Example

Before

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicReadAccess",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::your-bucket-name/*"
    }
  ]
}

After

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyPublicAccess",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::your-bucket-name/*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalRegexp": "*"
        }
      }
    }
  ]
}

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

Practice 1: Least privilege – Grant only the necessary permissions to IAM roles or users accessing S3 buckets.
Practice 2: Secure Defaults – Configure S3 buckets with restrictive default permissions and explicitly allow access as needed.

4.5 Automation (Optional)

# Example AWS CLI command to block public access for all buckets in an account
aws s3api put-bucket-public-access-block --bucket your-bucket-name --public-access-block '{"BlockPublicAcls": true, "IgnorePublicAcls": true, "BlockPublicPolicy": true, "RestrictPublicBuckets": true}'

5. Verification / Validation

Confirm the fix by checking that public access is blocked and legitimate application functionality remains intact.

Post-fix check: Run `aws s3api get-bucket-acl –bucket your-bucket-name`. The output should not show any public read permissions.
Re-test: Attempt to access the bucket’s contents via a public URL. You should receive an “Access Denied” error.
Smoke test: Verify that applications with authorized IAM roles can still read and write data to the bucket as expected.
Monitoring: Create a CloudWatch alarm triggered by `ListBucket` or `GetObject` events originating from unknown IP addresses.

aws s3api get-bucket-acl --bucket your-bucket-name

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

Baselines: Update security baselines or policies to enforce restrictive S3 bucket permissions by default.
Asset and patch process: Regularly review S3 bucket configurations for compliance with security best practices.

7. Risks, Side Effects, and Roll Back

Risk or side effect 1: Blocking public access may disrupt applications that rely on publicly accessible S3 buckets.
Risk or side effect 2: Incorrectly configured IAM policies can prevent legitimate users from accessing data.
Roll back: Restore the original bucket policy from the snapshot taken in step 4.1. Re-enable public access if required, but review permissions carefully.

8. References and Resources

Vendor advisory or bulletin: https://aws.amazon.com/articles/amazon-s3-bucket-public-access-considerations/
NVD or

Updated on October 26, 2025

Was this article helpful?

Yes No