A developer sets up a storage bucket on a Friday afternoon to hold some test files, ticks a box to make access easier while the team is under deadline pressure, and means to lock it down again the following Monday. Monday brings a new sprint, a new priority, and the bucket stays exactly as it was left. Six months later, thousands of customer documents, backup files, or exported spreadsheets sit there, readable by anyone who happens to guess or find the web address.

How a storage bucket ends up open to the world

Public S3 buckets have caused some of the most avoidable data breaches of the last decade, precisely because the mistake behind them is so small. A single permission setting, changed for convenience during testing or migration, is often all that separates a private company archive from a folder the entire internet can browse. Unlike a hacked password or a phished email, nobody needs to break anything to get in. The door was simply left unlocked, and it stayed that way because nobody went back to check.

Cloud providers have improved their default settings over the years, but businesses still create new buckets, copy old configurations, and inherit permissions from templates that were never quite right in the first place. Regular AWS pen testing specifically hunts for these exposures across an entire cloud estate, rather than relying on someone remembering to check a settings page that was set up months or years ago.

The Open S3 Bucket Problem That Keeps Breaching Businesses — Aardwolf Security

Automated scanners find these gaps within hours, not months

What makes this particular exposure so dangerous is speed. Security researchers and criminal groups alike run continuous automated scans across the entire range of possible bucket names, checking permissions the moment a new one appears. Where a phishing campaign might take weeks to yield results, an open bucket can be found, catalogued, and downloaded within hours of being misconfigured. By the time an internal audit gets around to reviewing cloud storage, an exposed bucket may already have been indexed by search engines and pulled apart by opportunists who were never specifically targeting that company at all.

William Fieldhouse describes the pattern he sees again and again with cloud storage clients.

“We found a bucket holding two years of client contracts sitting fully public, and when we asked the team how long it had been like that, nobody could actually tell us, which was the most worrying answer of all.”

— William Fieldhouse, Director of Aardwolf Security Ltd

That uncertainty is the real problem, more than the misconfiguration itself. A business that knows exactly when a mistake happened can assess what was exposed and to whom. A business that has no idea how long a bucket sat open cannot honestly answer basic questions from customers, regulators, or insurers about what was accessed and by how many parties. The gap in knowledge becomes almost as damaging as the breach itself, because every answer has to be hedged with uncertainty.

Treating cloud storage as a security decision, not an afterthought

Cloud storage rarely gets the same scrutiny as a company’s front door or its office network, yet it often holds far more sensitive material behind a single, easily-missed setting. A proper penetration testing quote treats every bucket, container, and storage account as worth checking properly, rather than trusting that whoever set it up got the permissions right first time. If your business has grown its cloud footprint faster than anyone has reviewed it, that review is worth arranging before a scanner outside your control finds the gap first.

Share:

By Robson

Editorial team contributor for Web Wise Tutors.