AWS Trusted Advisor flaw permitted public S3 buckets to remain unflagged.

AWS’s Trusted Advisor tool is designed to alert customers about the public exposure of their S3 storage buckets. However, recent findings by Fog Security researchers indicate that this tool can be manipulated to report buckets as not exposed, even when they are. Amazon S3 offers various access protection mechanisms, including IAM users, roles, and policies, bucket policies, and access control lists (ACLs). While AWS encourages the use of bucket policies over ACLs, it also provides a “Block Public Access” feature to prevent unintended public access. By default, new S3 buckets block all public access, but users may disable this feature for public content.

Fog Security’s research revealed that by adjusting certain bucket policies, S3 buckets could be made publicly accessible without Trusted Advisor detecting the change. This manipulation can occur by allowing public access through bucket policies or ACLs and adding deny policies that prevent Trusted Advisor from checking the bucket’s status. Such changes could be executed by malicious insiders or attackers with compromised credentials, leading to potential data exfiltration. Although AWS has since addressed this issue, implementing fixes in June 2025, concerns remain regarding the adequacy of communication to users about the severity of the problem. Fog Security advises AWS S3 users to conduct thorough checks of their bucket permissions to ensure that only intended buckets are publicly accessible. 

Categories: S3 Access Control Mechanisms, Trusted Advisor Limitations, Security Best Practices 

Tags: S3, Trusted Advisor, Public Access, Bucket Policies, Access Control Lists, IAM, Security Checks, Data Exfiltration, Misconfiguration, AWS