There's a Hole in that Bucket! A Large-scale Analysis of Misconfigured S3 Buckets

Andrea Continella, Mario Polino, Marcello Pogliani, Stefano Zanero

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

27 Citations (Scopus)


Cloud storage services are an efficient solution for a variety of use cases, allowing even non-skilled users to benefit from fast, reliable and easy-to-use storage. However, using public cloud services for storage comes with security and privacy concerns. In fact, managing access control at scale is often particularly hard, as the size and complexity rapidly increases, especially when the role of access policies is underestimated, resulting in dangerous misconfigurations.

In this paper, we investigate the usage of Amazon S3, one of the most popular cloud storage services, focusing on automatically analyzing and discovering misconfigurations that affect security and privacy. We developed a tool that automatically performs security checks of S3 buckets, without storing nor exposing any sensitive data. This tool is intended for developers, end-users, enterprises, and any other organization that makes extensive use of S3 buckets. We validate our tool by performing the first comprehensive, large-scale analysis of 240,461 buckets, obtaining insights on the most common mistakes in access control policies. The most concerning one is certainly the (unwanted) exposure of storage buckets: These can easily leak sensitive data, such as private keys, credentials and database dumps, or allow attackers to tamper with their resources.

To raise awareness on the risks and help users to secure their storage services, we show how attackers could exploit unsecured S3 buckets to deface or deliver malicious content through websites that relies on S3 buckets. In fact, we identify 191 vulnerable websites. Finally, we propose a browser extension that prevents loading resources hosted in unsecured buckets, intended either for end-users, as a mitigation against vulnerable websites, and for developers and software testers, as a way to check for misconfigurations.
Original languageEnglish
Title of host publicationACSAC '18
Subtitle of host publicationProceedings of the 34th Annual Computer Security Applications Conference
Place of PublicationNew York, NY
PublisherACM Publishing
ISBN (Print)978-1-4503-6569-7
Publication statusPublished - 1 Dec 2018
Externally publishedYes
Event34th Annual Computer Security Applications Conference, ACSAC 2018 - San Juan, Puerto Rico, United States
Duration: 3 Dec 20187 Dec 2018
Conference number: 34


Conference34th Annual Computer Security Applications Conference, ACSAC 2018
Abbreviated titleACSAC
Country/TerritoryUnited States
CitySan Juan, Puerto Rico


  • Cybersecurity
  • Computer systems
  • Security
  • Cloud computing
  • Misconfigurations
  • Vulnerabilities


Dive into the research topics of 'There's a Hole in that Bucket! A Large-scale Analysis of Misconfigured S3 Buckets'. Together they form a unique fingerprint.

Cite this