Exposure Scanner Scan My Account
Exposure Scanner / Amazon S3

S3 Bucket Public Exposure

Are your S3 buckets accessible from the internet?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
prod-data-exports
S3 bucket policy allows public read access via Principal: "*"
Critical
staging-uploads
S3 Block Public Access is disabled at the bucket level
High
static-assets-cdn
Bucket ACL grants public-read to All Users group

What does Amazon S3 public exposure mean?

A publicly exposed S3 bucket means anyone on the internet can list, read, or potentially write to your storage. This typically happens through misconfigured bucket policies, public ACLs, or disabled S3 Block Public Access settings at the account or bucket level.

Why it matters

S3 buckets are one of the most common sources of data breaches in AWS. Publicly accessible buckets have exposed customer databases, credentials, backups, and internal documents. Regulatory frameworks including SOC 2, ISO 27001, and PCI-DSS all require controls preventing unauthorized access to stored data.

How to check manually

  1. 1Open the S3 console and check the "Access" column for any bucket marked "Public"
  2. 2Review S3 Block Public Access settings at both account and bucket level
  3. 3Check bucket policies for Principal: "*" or Effect: Allow with no conditions
  4. 4Review ACLs for grants to "All Users" or "Authenticated Users" groups

Quick check with AWS CLI

Check account-level S3 Block Public Access
aws s3control get-public-access-block --account-id $(aws sts get-caller-identity --query Account --output text)
List all public buckets
aws s3api list-buckets --query "Buckets[].Name" --output text | xargs -I {} aws s3api get-bucket-policy-status --bucket {} 2>/dev/null
Check a specific bucket's public access
aws s3api get-public-access-block --bucket YOUR_BUCKET_NAME

Common misconfigurations

S3 Block Public Access disabled at account level
Bucket policy grants access to Principal "*"
Legacy ACLs granting public-read or public-read-write
Static website hosting enabled without CloudFront restriction

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

Amazon CloudFront
Are your CloudFront distributions exposing origin servers or sensitive content?
AWS IAM
Are your IAM policies granting access more broadly than intended?
AWS KMS
Are your encryption keys accessible from outside your account?