Skip to main content

Publicly Exposed Storage Buckets

Publicly exposed storage buckets allow anonymous read or write to data that should be private, a top cause of mass cloud data leaks. Enable block-public-access, default to least-privilege policies, and share individual objects via presigned URLs.

Publicly exposed storage buckets are cloud object stores (Amazon S3, Azure Blob, Google Cloud Storage) configured to allow anonymous access — public read, or worse, public write — to data that should be private. Misconfigured buckets are one of the most frequent and damaging cloud breaches, repeatedly leaking millions of records of personal, financial, and credential data.

Why It Happens

Making content public is the quick fix when access is failing during development or when serving assets to a website. Permission models are nuanced — ACLs, bucket policies, account-level settings, and IAM interact — and a small mistake opens the bucket wider than intended. Buckets get created by scripts or third parties with permissive defaults, and "temporary" public settings become permanent. Teams assume an obscure bucket name keeps data hidden.

Why It Hurts

Public-read buckets expose every object to anyone on the internet; scanners and search engines index them, and tools continuously hunt for open buckets. Sensitive data — customer PII, backups, source code, secrets — leaks wholesale. Public-write buckets are worse: attackers can plant malware, deface served assets, or run up costs. Such exposure breaches GDPR, HIPAA, PCI-DSS and similar regimes, triggering fines and mandatory disclosure. Because the data is simply readable, no exploit skill is required.

Warning Signs

  • Buckets have public ACLs or policies granting access to anonymous or all-authenticated principals.
  • Account-level "block public access" controls are disabled.
  • Sensitive data sits in buckets reachable without authentication.
  • Security posture tools report public-bucket findings.

Better Alternatives

Enable account-wide and bucket-level block-public-access controls so buckets cannot be made public by accident. Default to private and grant access through least-privilege bucket policies and IAM roles scoped to specific principals and prefixes. For sharing individual objects with external parties, issue time-limited presigned URLs instead of opening the bucket. Serve public website assets through a CDN with origin access controls rather than a public bucket. Encrypt data at rest and enable access logging.

How to Refactor Out of It

  1. Inventory all buckets and flag any with public access at the ACL, policy, or account level.
  2. Enable block-public-access at the account level, then per bucket, fixing legitimate public needs explicitly.
  3. Replace broad grants with least-privilege policies scoped to specific identities and paths.
  4. Move external sharing to presigned URLs and public web content to a CDN with origin access control.
  5. Turn on access logging and use posture management to detect future exposure.
  6. Assume any data that was public is leaked: rotate exposed secrets and follow breach procedures if sensitive.