Home / Blog / How to Find and Fix Public S3 Buckets in AWS (2026 Guide)

How to Find and Fix Public S3 Buckets in AWS (2026 Guide)

Published July 3, 2026 · Sovereign Observer Team
Quick answerTo find public S3 buckets, open the S3 console and look for the red "Public" badge, or run the AWS CLI to check each bucket’s public access block, policy status, and ACL. To fix them, enable Block Public Access at the account level (Settings → Block Public Access settings for this account), then remove any bucket policies or ACLs that grant access to "*" or "AllUsers". A CSPM tool automates this check across every account and region continuously.

Why are public S3 buckets still a problem in 2026?

Because they’re still the single most common cloud data-leak vector. Accenture, Capital One-era misconfigurations, election data, medical records — the list of S3 exposure incidents grows every year, and almost none of them involved a sophisticated attacker. Someone made a bucket public to “quickly share something,” and it stayed public.

AWS has added guardrails (Block Public Access is on by default for new buckets since 2023), but older buckets, IaC templates that explicitly disable the guardrails, and multi-account sprawl mean exposure keeps reappearing. Finding it once is easy; staying clean is the hard part.

How do I find all public buckets in the console?

  1. Open the S3 console. The bucket list shows a red “Public” badge in the Access column for any bucket with public access.
  2. Check the account-wide switch: S3 → Block Public Access settings for this account. If all four options are on, no bucket in the account can be public regardless of its individual settings.
  3. For a deeper audit, open IAM Access Analyzer (free) — it lists buckets shared outside your account, including via bucket policies you might miss in the S3 view.

Caveat: the console shows one account in one place. If you run multiple AWS accounts — most organizations do — you have to repeat this per account, forever. That’s the gap automation fills.

How do I check buckets with the AWS CLI?

List buckets, then interrogate each one. Three things make a bucket public: its Block Public Access settings, its bucket policy, and its ACL.

# list all buckets
aws s3api list-buckets --query "Buckets[].Name" --output text

# 1. is Block Public Access enabled on the bucket?
aws s3api get-public-access-block --bucket BUCKET_NAME

# 2. does AWS consider the policy public?
aws s3api get-bucket-policy-status --bucket BUCKET_NAME

# 3. does the ACL grant to AllUsers / AuthenticatedUsers?
aws s3api get-bucket-acl --bucket BUCKET_NAME

If get-public-access-block returns an error, the bucket has no block configured — it inherits only the account-level setting. If get-bucket-policy-status returns "IsPublic": true, treat it as exposed right now.

How do I fix a public bucket?

In order of preference:

  1. Turn on account-level Block Public Access — one setting that overrides everything beneath it:
    aws s3control put-public-access-block \
      --account-id YOUR_ACCOUNT_ID \
      --public-access-block-configuration \
      BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
    Do this unless you knowingly host public assets from S3.
  2. If one bucket must stay public (static website hosting), keep the account block off but enable the same four settings per-bucket on everything else, and serve public content through CloudFront with Origin Access Control instead of a public bucket.
  3. Remove the offending grant. Delete bucket policy statements with "Principal": "*" and ACL grants to AllUsers. Then check who was accessing it in CloudTrail before you celebrate — if data was exposed, treat it as an incident, rotate anything sensitive that was inside.

How do I make sure buckets never go public again?

Point-in-time cleanups decay. Three durable controls:

Sovereign Observer does the detective and pipeline layers out of the box — connect a read-only role and you’ll see every public bucket across AWS, Azure, and GCP in your first scan, ranked by what’s actually inside the blast radius.

Frequently asked questions

How do I check if an S3 bucket is public?

In the console, look for the red “Public” badge in the bucket list. Via CLI, run aws s3api get-bucket-policy-status --bucket NAME and check for "IsPublic": true, and review the ACL with get-bucket-acl for AllUsers grants.

Does Block Public Access break pre-signed URLs?

No. Pre-signed URLs are authenticated requests made on behalf of the signing IAM identity, so they keep working with all Block Public Access settings enabled. They are the recommended way to share private objects.

Is a bucket safe if it isn’t listed publicly?

No. Bucket names are guessable and attackers enumerate them constantly. “Nobody knows the URL” is not access control — if the policy or ACL allows anonymous reads, assume the data is already downloaded.

What about Azure and GCP — same problem?

Yes, with different names: Azure Blob containers with “anonymous read access” and GCS buckets granting allUsers. The failure mode and the fix pattern (block at the top level, monitor continuously) are identical.

See your cloud the way an attacker does

Connect AWS, Azure, or GCP with a read-only role and get prioritized findings in minutes — no sales call.