software

Find Public S3 Buckets Before Attackers Do

Published: (February 7, 2026 at 03:06 PM EST)
4 min read
Source: Dev.to

Source: Dev.to

Introduction

Accidental exposure of sensitive data in public Amazon S3 buckets remains a major security risk. Misconfigured permissions are easy to create, and attackers actively scan for these vulnerabilities. Regularly auditing your S3 bucket permissions is crucial to prevent data breaches, compliance violations, and reputational damage.

Types of Data Exposed by Public Buckets

  • Personally Identifiable Information (PII)
  • API keys and credentials
  • Proprietary code or data
  • Internal documents

Methods to Find Public S3 Buckets

AWS Command Line Interface (CLI)

The AWS CLI can list buckets and inspect their permissions.

List All Buckets

aws s3 ls

Check Bucket Policy

aws s3api get-bucket-policy --bucket

A public bucket typically contains statements with "Principal": "*" (or "Principal": {"AWS": "*"}) and "Effect": "Allow" for actions such as s3:GetObject.

Check Bucket ACL

aws s3api get-bucket-acl --bucket

Look for Grant elements where the Grantee type is Group (e.g., Everyone or AnyAuthenticatedUser) and the permission is READ or WRITE.

Scripting with AWS CLI and jq

Automate the detection of public buckets by parsing JSON output with jq.

#!/usr/bin/env bash
aws s3 ls | awk '{print $3}' | while read bucket; do
  policy=$(aws s3api get-bucket-policy --bucket "$bucket" 2>/dev/null)
  acl=$(aws s3api get-bucket-acl --bucket "$bucket" 2>/dev/null)

  if [[ -n "$policy" ]]; then
    if echo "$policy" | jq -e '.Policy | contains({Statement: [{Principal: "*", Effect: "Allow"}]})' > /dev/null; then
      echo "Bucket $bucket is PUBLIC (Policy)"
    fi
  fi

  if [[ -n "$acl" ]]; then
    if echo "$acl" | jq -e '.Grants | any(.Grantee.Type == "Group" and (.Permission == "READ" or .Permission == "WRITE"))' > /dev/null; then
      echo "Bucket $bucket is PUBLIC (ACL)"
    fi
  fi
done

The script iterates through all buckets, retrieves their policies and ACLs, and flags those that appear public based on broad “Allow” statements or public ACL grants.

Boto3 (AWS SDK for Python)

Boto3 provides a programmatic way to perform the same checks.

Install Boto3

pip install boto3

Python Script

import boto3
import json

s3 = boto3.client('s3')

def check_bucket_permissions():
    buckets = s3.list_buckets()['Buckets']
    for bucket in buckets:
        name = bucket['Name']

        # Check bucket policy
        try:
            policy_str = s3.get_bucket_policy(Bucket=name)['Policy']
            policy = json.loads(policy_str)
            for stmt in policy.get('Statement', []):
                if stmt.get('Principal') == '*' and stmt.get('Effect') == 'Allow':
                    print(f"Bucket {name} is PUBLIC (Policy)")
        except s3.exceptions.NoSuchBucketPolicy:
            pass  # No policy attached

        # Check bucket ACL
        try:
            acl = s3.get_bucket_acl(Bucket=name)
            for grant in acl.get('Grants', []):
                grantee = grant.get('Grantee', {})
                if grantee.get('Type') == 'Group' and grant.get('Permission') in ('READ', 'WRITE'):
                    print(f"Bucket {name} is PUBLIC (ACL)")
        except s3.exceptions.NoSuchBucket:
            pass  # Bucket not accessible

if __name__ == "__main__":
    check_bucket_permissions()

The script lists all buckets, retrieves their policies and ACLs, and prints any bucket identified as public.

AWS Trusted Advisor

Trusted Advisor includes a “Amazon S3 Bucket Permissions” check that flags buckets with open access. While it offers less detail than CLI/SDK methods, it provides a quick high‑level overview.

AWS Config

AWS Config can track resource configurations over time. You can create custom Config rules to evaluate bucket policies and ACLs for public access, enabling continuous compliance monitoring.

Best Practices for S3 Security

  • Automate Scans: Schedule the CLI or Boto3 scripts in CI/CD pipelines or as regular cron jobs.
  • Least Privilege: Avoid using "*" in bucket policies; grant only the permissions required.
  • Regular Audits: Perform periodic reviews of bucket permissions.
  • Monitoring & Alerting: Set up CloudWatch alarms or Config rules to detect changes in bucket access.
  • Prefer Policies Over ACLs: Use bucket policies as the primary access control mechanism.
  • S3 Access Points: For shared datasets, create dedicated access points with scoped permissions.

Alternative Open‑Source Tool

nuvu-scan can automatically discover cloud assets and detect public S3 buckets.

pip install nuvu-scan

Run the tool according to its documentation to scan your environment for exposed buckets.

Conclusion

By actively searching for and remediating public S3 buckets—using the AWS CLI, Boto3 scripts, Trusted Advisor, Config rules, or third‑party tools—you can significantly reduce the risk of data breaches and maintain a more secure cloud environment.

0 views
#software #programming #community
View source
Share:
Back to Blog

Related posts

Read more »

The Origin of the Lettuce Project

Two years ago, Jason and I started what became known as the BLT Lettuce Project with a very simple goal: make it easier for newcomers to OWASP to find their way...