AWS S3 (Simple Storage Service) buckets are a popular storage service used by software companies and organizations to store public as well as sensitive data.
Because AWS S3 can be used to store sensitive data, AWS allows developers to set up permissions for individual buckets and objects.
These permissions (or Access Control Lists) are sometimes overly permissive and allow unauthorized users to view more data than allowed.
You can make use of search syntaxis supported by major search engines like Google to find AWS S3 buckets belonging to your target company or organization:
site:.s3.amazonaws.com "company"
You can use the official AWS CLI to test for misconfigured list permissions using the s3
subcommand:
$ aws s3 ls s3://{BUCKET_NAME} --no-sign-request
The output of an AWS S3 bucket with misconfigured list permissions:
2024-08-31 09:00:00 1337 index.html
PRE downloads/
2024-08-31 09:00:00 1337 archive.zip
The output of a secured AWS S3 bucket:
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
{% hint style="danger" %} Before reporting a potential security misconfiguration, always verify the owner of the bucket and the impact of the vulnerability! Some AWS S3 buckets are meant to be public, some may not even belong to your target! {% endhint %}
To secure your AWS S3 buckets, signin to your AWS Management Console and follow the steps below:
- Once signed in, navigate to your Amazon S3 dashboard
- Open your bucket that you'd like to secure or verify access controls for
- Open the Permissions tab, and click on Edit under the Block public access (bucket settings) section
- Next, verify that all public access is blocked (or ensure only the desired settings are enabled)
- Save your changes
- Go back to the Permissions tab and scroll down to the Bucket policy section
- Ensure that you do not have any unwanted policies listed
- Additionally, verify that Block all public access is enabled (a green checkmark must appear next to it)
{% hint style="warning" %} If your Access Control Lists take precedence over your Bucket Policies, make sure to verify your Access Control Lists as well! {% endhint %}
A misconfigured AWS S3 bucket can often introduce security risks, data leaks, or other unintended consequences. Especially if the storage bucket is used for storing sensitive data (such as backups, receipts, invoices, etc.).