Public S3 buckets, open Google Cloud Storage, anonymous Azure Blob containers — data exposure via cloud object stores is the most-documented cloud breach class. The mechanism: customer flagged the storage as public (often accidentally or historically); data inside is sensitive; internet-facing enumeration finds it; leak.

Why this keeps happening

Multiple ways to make storage public. AWS S3: bucket ACL, bucket policy, object ACL, individual object grants, “allUsers” in IAM — each independent setting can grant public access.
Defaults changed over time. S3 pre-2018 allowed public by default; changed, but old buckets inherited old defaults.
“Temporary” public sharing becomes permanent. File needs external sharing for one meeting; public flag set; never unset.
Developer intentionally public. “It’s just test data” — turns out to be customer PII accidentally mixed in.
Misunderstanding of scope. “Only people with link can access” — but link gets posted to GitHub → indexed.

Discovery workflows

# Bucket name prediction + enumeration
# Common patterns: company-backups, company-dev, company-prod, etc.
for name in company-backups company-prod company-dev company-reports; do
  aws s3 ls s3://$name 2>/dev/null
done

# Tools:
# - bucket_finder
# - AWSBucketDump
# - GCPBucketBrute
# - Cloud_Enum (multi-cloud)

# Google dorks
site:amazonaws.com "COMPANY"
inurl:s3.amazonaws.com "Index of"

# GitHub / pastebin searches for exposed bucket URLs + credentials

# grayhatwarfare.com — publicly accessible S3 buckets searchable

Specific settings to audit

AWS S3:

Block Public Access at account level (enable all four settings)
Block Public Access at bucket level
Bucket ACL — check for “AllUsers” or “AuthenticatedUsers” grants
Bucket policy — Principal “*”
Object ACLs (ugh — each object can be independently public)
Pre-signed URLs with overly-long expiry

Azure Blob:

Container access level (Private / Blob / Container)
Storage account “allow blob anonymous access” setting
SAS tokens — expiration, scope, secure transfer

GCS:

allUsers / allAuthenticatedUsers IAM bindings on buckets
Uniform bucket-level access (recommended) vs fine-grained (per-object ACLs = more risk)

Real incidents (partial)

Verizon 2017: ~14 million customer records on public S3.
Accenture 2017: 4 buckets public with AWS master keys, private signing keys, customer data.
Booz Allen Hamilton 2017: US intelligence data including classified on public S3.
FedEx 2018: customer ID scans on public S3.
CoWIN data 2023 (India): alleged exposure of vaccination data; investigation inconclusive but raised Indian cloud security discourse.
Continuous 2020-2025: literally weekly reports of public-bucket leaks affecting various companies.

Defenses

Block Public Access at account level (AWS) — makes exception grants explicit
Uniform bucket-level access (GCP) — eliminates per-object ACLs
Disable anonymous blob access at storage account level (Azure)
CSPM continuous scan (Wiz, Orca, Prisma, Defender for Cloud) — catches public flags automatically
Bucket access logging to detect anonymous access patterns
Regular Macie scans (AWS) or equivalents for sensitive data detection — know what’s where
IaC with policy enforcement (Checkov, OPA) — prevent public settings at deploy time
Pre-signed URLs instead of public objects when temporary sharing needed
Inventory + classify — know what’s in each bucket; apply controls per sensitivity

Beyond object storage

Exposed databases: MongoDB, Elasticsearch, Redis, PostgreSQL with default ports open to internet + weak/no auth. Shodan finds millions.
Exposed CI/CD: Jenkins, ArgoCD, Tekton dashboards without auth.
Exposed Kubernetes: dashboard, kubelet, API server without RBAC.
Exposed message queues: Kafka, RabbitMQ with default creds.

Same root cause: “temporary for testing” becomes permanent; CSPM catches at scan time; continuous monitoring catches at internet-exposure time.

Mindset takeaway

Public by default + sensitive content + discoverable = breach. Each factor is independently fixable. Eliminate any one = breach prevented. CSPM tools + IaC policies + inventory + access logging = comprehensive defense.

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 43% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

1 more section locked below

Module 8 · Public Data Stores — The Classic 🔒

Why this keeps happening

Discovery workflows

Specific settings to audit

Real incidents (partial)

Defenses

Beyond object storage

Mindset takeaway

Continue reading with Basic tier (₹499/month)

Other modules in this track

Module 4 · Cross-Account Trust Attacks <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 5 · Kubernetes — The Platform That Multiplies Attack Surface <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Module 1 · The Shared Responsibility Illusion <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>