Cloud Storage Exposure: When Your Data Is Public

Misconfigured cloud storage—S3 buckets, Azure Blobs, Google Cloud Storage—is one of the most common causes of major data breaches. Attackers continuously scan for exposed buckets, and your data can be exfiltrated within hours of misconfiguration.

What You'll Learn
  • Why public cloud storage is actively hunted
  • Immediate containment steps
  • Data exposure assessment
  • Notification and compliance obligations
  • Prevention controls for each cloud provider
Back to Attack Surface Monitoring Guide

Why Cloud Storage Exposure Is Critical

P1 Until Validated, P0 If Sensitive Data Confirmed

Any public cloud storage with read or write access is an instant P1.If you confirm sensitive data (PII, credentials, proprietary data) is exposed, escalate to P0 and engage incident response.

Cloud storage misconfigurations have caused some of the largest data breaches in recent years:

  • Major financial institutions have exposed millions of customer records via misconfigured S3
  • Prominent tech companies have leaked source code and internal data from exposed storage
  • Enterprise cloud deployments have inadvertently exposed terabytes of customer data
  • Countless smaller breaches go unreported every month
Attackers Are Actively Scanning

Specialized tools scan for exposed cloud storage 24/7. Within hours of misconfiguring a bucket, it will be discovered, indexed, and potentially exfiltrated. Some researchers and criminals maintain databases of discovered public buckets.

How Attackers Find Your Buckets

Automated Discovery Methods

  • Bucket name guessing: Trying common patterns (companyname-backup, companyname-data, companyname-prod)
  • DNS enumeration: Finding S3 buckets via CNAME records
  • Certificate Transparency: Discovering bucket names in SSL certificates
  • Google dorking: Searching for exposed bucket URLs indexed by search engines
  • Shodan/Censys: Internet-wide scanning for cloud storage signatures
  • GitHub/code scanning: Finding bucket names in source code repositories

Tools Used by Attackers

  • S3Scanner, AWSBucketDump, bucket-finder
  • GCPBucketBrute, cloud_enum
  • Specialized scripts targeting specific industries or naming conventions
Discovery to Exfiltration Timeline

A representative timeline: Bucket misconfigured → automated scanners discover it within hours → attackers validate access and begin downloading shortly after → complete exfiltration of large datasets possible within the same day → data may appear on dark web forums within days.

Speed matters. Containment must be immediate.

Priority Assessment

Access Level Determines Priority

Access LevelRiskPriority
Public read + sensitive data confirmedCriticalP0
Public write access (any content)CriticalP0
Public read (unvalidated content)HighP1
Public listing (can see filenames)HighP1
Authenticated user access too broadMediumP2

Content Type Escalation

If public access exists, the content determines whether to escalate to P0:

  • P0 content: PII (names, SSNs, addresses), credentials, API keys, source code, financial data, health records, legal documents
  • P1 content: Internal documents, configuration files, logs with potentially sensitive info, customer lists
  • P2 content: Public marketing materials, non-sensitive assets
Write Access = Immediate P0

If public write access exists, this is P0 regardless of content.Attackers can inject malicious content, modify existing files, or use your storage for malware distribution. This creates legal and reputational liability.

Immediate Response (0-4 Hours)

Step 1: Remove Public Access (First 15 Minutes)

Remove public access immediately. Don't wait to investigate contents first.

AWS S3

AWS CLI Commands
# Block all public access
aws s3api put-public-access-block \
--bucket BUCKET-NAME \
--public-access-block-configuration \
BlockPublicAcls=true,IgnorePublicAcls=true,\
BlockPublicPolicy=true,RestrictPublicBuckets=true

Azure Blob Storage

  • Navigate to Storage Account → Configuration
  • Set "Allow Blob public access" to Disabled
  • Review and remove any container-level public access

Google Cloud Storage

gcloud Commands
# Remove public access
gsutil iam ch -d allUsers gs://BUCKET-NAME
gsutil iam ch -d allAuthenticatedUsers gs://BUCKET-NAME

Step 2: Verify Access Is Blocked

  • Test access from unauthenticated browser/curl
  • Verify bucket no longer appears in public bucket scanners
  • Confirm legitimate application access still works

Step 3: Preserve Access Logs

  • Enable access logging if not already enabled
  • Export existing access logs for forensic analysis
  • Identify time range of public exposure
  • Note: AWS S3 server access logs may have 1-hour delay

Step 4: Notify Stakeholders

  • Inform security team and data owners
  • Brief legal/compliance if sensitive data may be involved
  • Prepare for potential breach notification requirements

Exposure Assessment

Determine Exposure Window

  • When was the bucket created or when did public access start?
  • Review IAM/configuration change history
  • Check deployment logs and infrastructure-as-code history
  • Correlate with any recent changes or deployments

Analyze Access Logs

Look for evidence of unauthorized access:

  • Requests from unknown IP addresses
  • Bulk download patterns (many objects accessed sequentially)
  • Access from cloud provider IP ranges (other AWS accounts, etc.)
  • Requests from known malicious IPs or security researcher ranges

Inventory Exposed Data

  • List all objects that were publicly accessible
  • Classify data by sensitivity level
  • Identify any regulated data (HIPAA, PCI, GDPR)
  • Document for potential breach notification
Assume Data Was Accessed

If sensitive data was publicly accessible for more than a few hours, assume it was exfiltrated. Attackers automate bucket discovery and download. The absence of access logs does not mean data wasn't taken—logging may not have been enabled, or logs may be incomplete.

Breach Notification Considerations

If sensitive data was exposed, consider notification obligations:

  • GDPR: 72-hour notification to supervisory authority
  • HIPAA: 60-day notification for breaches affecting 500+ individuals
  • State laws: Varying requirements (California, New York, etc.)
  • Contractual: Customer and partner notification requirements
  • Consult legal counsel before making notification decisions

Prevention Controls by Provider

AWS S3

  • Account-level block: Enable S3 Block Public Access at the account level
  • Bucket policies: Review all bucket policies for Principal: "*"
  • ACLs: Disable ACLs or ensure no public grants
  • AWS Config: Create rules to detect public bucket configurations
  • CloudTrail: Monitor for PutBucketPolicy and PutBucketAcl events
  • SCPs: Use Service Control Policies to prevent public bucket creation

Azure Blob Storage

  • Storage account level: Disable "Allow Blob public access" by default
  • Azure Policy: Enforce private-only storage accounts
  • Private endpoints: Use private endpoints for sensitive storage
  • Defender for Storage: Enable threat detection
  • Activity logs: Monitor for access policy changes

Google Cloud Storage

  • Organization policy: Set constraints/storage.publicAccessPrevention
  • Uniform bucket-level access: Simplify and enforce consistent permissions
  • VPC Service Controls: Create perimeters around sensitive data
  • Data Loss Prevention: Scan for sensitive content
  • Audit logs: Monitor for IAM policy changes
Defense in Depth

Layer your controls: Account-level blocks prevent accidental exposure, policy enforcement catches configuration drift, monitoring detects any exposure that slips through, and regular scanning validates your posture.

Continuous Monitoring

  • External attack surface monitoring to detect exposed storage
  • Cloud Security Posture Management (CSPM) tools
  • Regular configuration audits
  • Automated remediation for policy violations

Related Security Guides

Cloud storage exposure is often discovered alongside other attack surface issues. Review these related guides:

  • Exposed Admin Panels Guide — Cloud provider consoles and database management interfaces require similar immediate containment when exposed.
  • Exposed RDP Guide — Virtual machines with exposed RDP often accompany misconfigured cloud storage in hasty deployments.
  • Exposed SSH Guide — Cloud workloads commonly expose both SSH and storage—review both when investigating cloud misconfigurations.
  • Attack Surface Monitoring Guide — Learn how to continuously monitor your cloud footprint to detect storage and infrastructure exposures before attackers do.

Summary: Cloud Storage Response Checklist

TimeframeActionOwner
0-15 minRemove public access from bucket/containerCloud/Security
15-30 minVerify block, preserve access logsSecurity
30-60 minNotify stakeholders, brief legal if sensitive dataSecurity/Legal
1-4 hoursInventory exposed data, analyze access logsSecurity
1-3 daysComplete exposure assessment, determine notification needsSecurity/Legal
1-2 weeksImplement prevention controls, update policiesCloud/Security