AWS Trusted Advisor flaw permitted public S3 buckets to remain unflagged.

AWS’s Trusted Advisor tool is designed to alert customers about the public exposure of their S3 storage buckets. However, recent findings by Fog Security researchers indicate that this tool can be manipulated to report buckets as not exposed, even when they are. Amazon S3 offers various access protection mechanisms, including IAM users, roles, and policies, bucket policies, and access control lists (ACLs). While AWS encourages the use of bucket policies over ACLs, it also provides a “Block Public Access” feature to prevent unintended public access. By default, new S3 buckets block all public access, but users may disable this feature for public content.

Fog Security’s research revealed that by adjusting certain bucket policies, S3 buckets could be made publicly accessible without Trusted Advisor detecting the change. This manipulation can occur by setting the S3 bucket policy or ACL to allow public access and adding deny policies that prevent Trusted Advisor from checking the bucket’s status. Such changes could be executed by malicious insiders or attackers with compromised credentials, leading to potential data exfiltration. Fortunately, AWS has addressed this issue, and as of June 2025, Trusted Advisor now accurately displays bucket statuses and warns users of public exposure. Despite AWS’s communication regarding the fix, concerns remain about whether all customers received the necessary notifications to ensure their S3 bucket permissions are secure. Fog Security advises AWS S3 users to enable comprehensive security checks to safeguard their data. 

Categories: S3 Access Control Mechanisms, Trusted Advisor Limitations, Security Best Practices 

Tags: S3 Buckets, Trusted Advisor, Public Access, Bucket Policies, Access Control Lists, IAM Users, Security Checks, Data Exfiltration, Misconfiguration, AWS Credentials