Free Tool

Find every publicly exposed resource in your AWS account

S3 buckets, RDS databases, EC2 instances, API endpoints — 22 resource types scanned automatically. See what's internet-facing before an attacker does.

Scan My Account Free

No credit card. Read-only access. Results in minutes.

82%

of AWS accounts we assess have at least one publicly exposed resource. Check yours free.

22 resource types, one scan

The scanner checks every resource type that can be publicly accessible in AWS. If it's facing the internet — intentionally or not — you'll see it.

Storage & Data

S3 buckets

RDS databases

DynamoDB tables

Redshift clusters

EBS snapshots

RDS snapshots

OpenSearch domains

Compute & Network

EC2 instances

ECS services

EKS clusters

Lambda functions

Lightsail instances

Elastic IPs

Access & Endpoints

API Gateway endpoints

CloudFront distributions

ELB/ALB load balancers

Elasticsearch domains

SQS queues

SNS topics

Security & Config

Security groups

NACLs

IAM policies

KMS keys

How the scan works

1. Connect

Deploy a read-only IAM role

One CloudFormation template. SecurityAudit and ViewOnlyAccess policies. No write access.

2. Scan

Automated resource discovery

We enumerate every resource across all regions and check public access configurations — security groups, bucket policies, network ACLs, resource policies.

3. Report

See what's exposed

Every public resource listed with severity, resource details, and the specific configuration causing exposure. Acknowledge intentional exposures to track risk.

Run your free scan

What makes a resource "public"?

S3 bucket policies and ACLs

We check bucket policies, block public access settings, ACL grants, and cross-account access. A bucket with public read or list access is flagged even if Block Public Access is partially configured.

Security group ingress rules

Any security group allowing inbound traffic from 0.0.0.0/0 or ::/0 on sensitive ports (SSH, RDP, databases, admin interfaces) is flagged with the specific rule and attached resources.

RDS and database public accessibility

RDS instances, Aurora clusters, and Redshift clusters with the PubliclyAccessible flag enabled — regardless of whether a public subnet is configured.

Resource policies

Lambda function policies, SQS queue policies, SNS topic policies, KMS key policies, and API Gateway resource policies that grant access to * or allow cross-account access without conditions.

Network exposure

EC2 instances in public subnets with public IPs, ECS tasks with public IP assignment, and load balancers with internet-facing schemes.

Snapshot sharing

EBS snapshots and RDS snapshots shared publicly or with specific external accounts — a common source of unintentional data leaks.

What teams typically find

These are the most common public exposures across the accounts we've scanned.

S3 buckets with public read access

critical

The most common finding. Legacy ACLs or bucket policies granting s3:GetObject to *. Often from old deployments or static hosting configurations that were never locked down.

Security groups open to the internet

high

Inbound rules allowing 0.0.0.0/0 on ports 22 (SSH), 3389 (RDP), 3306 (MySQL), 5432 (Postgres). Usually from development or debugging that was never removed.

RDS instances publicly accessible

high

The PubliclyAccessible flag is enabled on production databases. Often set during initial setup and never changed — even when the database is in a private subnet.

EBS snapshots shared publicly

critical

Snapshots containing production data shared with "all" instead of specific account IDs. An attacker can copy and mount these in their own account.

Lambda functions with open resource policies

medium

Function policies granting invoke permissions to * without source account or ARN conditions. Allows any AWS account to call the function.

API Gateway endpoints without authentication

medium

REST or HTTP APIs with no authorizer configured on public-facing routes. Anyone with the endpoint URL can call the API.

Public exposure is just the start

The Public Exposure Scanner is included free with every Secure Compass account. It runs alongside the full Security Pillar assessment — 228 controls across identity, detection, infrastructure, data protection, and incident response.

Well-Architected Review

228 security controls assessed against the AWS Security Pillar

Compliance Mapping

SOC 2, ISO 27001, PCI-DSS, HIPAA, NIST gap analysis

Executive Reports

PDF reports for board presentations and audit evidence

Frequently asked questions

Is the Public Exposure Scanner really free?

Yes. The scanner is included in the free tier with no credit card required. You get a complete report of every publicly exposed resource in your account on your first scan.

What access does the scanner need?

A read-only IAM role deployed via CloudFormation. SecurityAudit and ViewOnlyAccess policies only. The scanner reads resource configurations — it never modifies anything in your account.

Does it scan all AWS regions?

Yes. The scanner checks every enabled region in your account. Public exposure doesn't respect regional boundaries — a forgotten S3 bucket in ap-southeast-1 is just as exposed as one in us-east-1.

What if an exposure is intentional?

You can acknowledge intentional exposures (like a public website hosted on S3 or a public API). Acknowledged resources are tracked separately so you can focus on the unintentional risks.

How is this different from AWS Trusted Advisor?

Trusted Advisor checks a handful of basic security settings. The Public Exposure Scanner checks 22 resource types across every region with detailed findings — bucket policies, resource policies, snapshot sharing, and more. Trusted Advisor doesn't show you resource policies or shared snapshots.

Can I export the results?

Free tier shows results in the dashboard. Paid plans include PDF export for executive reports and audit evidence. Every finding includes the resource ARN, region, and the specific configuration causing exposure.