How to Find and Fix Public S3 Buckets in AWS (2026 Guide)
Why are public S3 buckets still a problem in 2026?
Because they’re still the single most common cloud data-leak vector. Accenture, Capital One-era misconfigurations, election data, medical records — the list of S3 exposure incidents grows every year, and almost none of them involved a sophisticated attacker. Someone made a bucket public to “quickly share something,” and it stayed public.
AWS has added guardrails (Block Public Access is on by default for new buckets since 2023), but older buckets, IaC templates that explicitly disable the guardrails, and multi-account sprawl mean exposure keeps reappearing. Finding it once is easy; staying clean is the hard part.
How do I find all public buckets in the console?
- Open the S3 console. The bucket list shows a red “Public” badge in the Access column for any bucket with public access.
- Check the account-wide switch: S3 → Block Public Access settings for this account. If all four options are on, no bucket in the account can be public regardless of its individual settings.
- For a deeper audit, open IAM Access Analyzer (free) — it lists buckets shared outside your account, including via bucket policies you might miss in the S3 view.
Caveat: the console shows one account in one place. If you run multiple AWS accounts — most organizations do — you have to repeat this per account, forever. That’s the gap automation fills.
How do I check buckets with the AWS CLI?
List buckets, then interrogate each one. Three things make a bucket public: its Block Public Access settings, its bucket policy, and its ACL.
# list all buckets
aws s3api list-buckets --query "Buckets[].Name" --output text
# 1. is Block Public Access enabled on the bucket?
aws s3api get-public-access-block --bucket BUCKET_NAME
# 2. does AWS consider the policy public?
aws s3api get-bucket-policy-status --bucket BUCKET_NAME
# 3. does the ACL grant to AllUsers / AuthenticatedUsers?
aws s3api get-bucket-acl --bucket BUCKET_NAMEIf get-public-access-block returns an error, the bucket has no block configured — it inherits only the account-level setting. If get-bucket-policy-status returns "IsPublic": true, treat it as exposed right now.
How do I fix a public bucket?
In order of preference:
- Turn on account-level Block Public Access — one setting that overrides everything beneath it:
Do this unless you knowingly host public assets from S3.aws s3control put-public-access-block \ --account-id YOUR_ACCOUNT_ID \ --public-access-block-configuration \ BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true - If one bucket must stay public (static website hosting), keep the account block off but enable the same four settings per-bucket on everything else, and serve public content through CloudFront with Origin Access Control instead of a public bucket.
- Remove the offending grant. Delete bucket policy statements with
"Principal": "*"and ACL grants toAllUsers. Then check who was accessing it in CloudTrail before you celebrate — if data was exposed, treat it as an incident, rotate anything sensitive that was inside.
How do I make sure buckets never go public again?
Point-in-time cleanups decay. Three durable controls:
- Preventive: account-level Block Public Access plus an SCP (Service Control Policy) in AWS Organizations that denies
s3:PutPublicAccessBlockchanges outside an admin role. - Detective: continuous scanning. A CSPM tool checks every bucket in every account and region on a schedule and alerts the moment one drifts public — including buckets created next quarter by a teammate who never read this article.
- Pipeline: scan Terraform/CloudFormation before it applies. Catching
acl = "public-read"in a pull request is cheaper than catching it in production.
Sovereign Observer does the detective and pipeline layers out of the box — connect a read-only role and you’ll see every public bucket across AWS, Azure, and GCP in your first scan, ranked by what’s actually inside the blast radius.
Frequently asked questions
How do I check if an S3 bucket is public?
In the console, look for the red “Public” badge in the bucket list. Via CLI, run aws s3api get-bucket-policy-status --bucket NAME and check for "IsPublic": true, and review the ACL with get-bucket-acl for AllUsers grants.
Does Block Public Access break pre-signed URLs?
No. Pre-signed URLs are authenticated requests made on behalf of the signing IAM identity, so they keep working with all Block Public Access settings enabled. They are the recommended way to share private objects.
Is a bucket safe if it isn’t listed publicly?
No. Bucket names are guessable and attackers enumerate them constantly. “Nobody knows the URL” is not access control — if the policy or ACL allows anonymous reads, assume the data is already downloaded.
What about Azure and GCP — same problem?
Yes, with different names: Azure Blob containers with “anonymous read access” and GCS buckets granting allUsers. The failure mode and the fix pattern (block at the top level, monitor continuously) are identical.
See your cloud the way an attacker does
Connect AWS, Azure, or GCP with a read-only role and get prioritized findings in minutes — no sales call.