S3 Bucket Misconfiguration
What is S3 Bucket Misconfiguration?
S3 Bucket MisconfigurationA configuration error on an Amazon S3 bucket (or equivalent object store) that exposes objects, allows unintended writes, or grants broad cross-account access.
S3 bucket misconfigurations are a frequent and high-impact subclass of cloud misconfiguration. Common forms include public-read or public-write ACLs, bucket policies that grant Principal: "*", missing block-public-access settings, weak object ownership, unsigned ACLs that conflict with policies, missing default encryption, disabled access logging, and presigned URLs with overly long lifetimes. Because buckets are reachable from the public Internet by DNS name, a single mistake can leak terabytes of customer data, source code, or backups. Mitigations include S3 Block Public Access at the account level, bucket policies that deny non-TLS and unencrypted access, IAM Access Analyzer, SCPs, and continuous checks via CSPM. Equivalent issues exist in Azure Blob Storage and Google Cloud Storage.
● Examples
- 01
An S3 bucket with public-read ACL exposing backup files.
- 02
A bucket policy granting s3:GetObject to Principal: "*" by mistake.
● Frequently asked questions
What is S3 Bucket Misconfiguration?
A configuration error on an Amazon S3 bucket (or equivalent object store) that exposes objects, allows unintended writes, or grants broad cross-account access. It belongs to the Cloud Security category of cybersecurity.
What does S3 Bucket Misconfiguration mean?
A configuration error on an Amazon S3 bucket (or equivalent object store) that exposes objects, allows unintended writes, or grants broad cross-account access.
How do you defend against S3 Bucket Misconfiguration?
Defences for S3 Bucket Misconfiguration typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for S3 Bucket Misconfiguration?
Common alternative names include: Public S3 bucket, Open S3 bucket.