April 4, 2026 · Tim Fraser, Cloud Operations Lead

Is My S3 Bucket Public? How to Check (Before Someone Else Does)

Public S3 buckets are one of the most common sources of data breaches on AWS. Capital One, Twitch, and dozens of smaller companies have been hit by exposed S3 data. The AWS console even shows a bright orange "Public" badge on buckets — but only if you know where to look.

If you've inherited an AWS account and you're not sure whether your S3 buckets are properly locked down, here's how to check.

Why S3 buckets end up public

It's rarely intentional. Common causes:

• Legacy bucket policies — someone needed to share a file years ago and made the bucket public. The sharing stopped, the policy didn't.
• ACLs set to public-read — the old way of managing S3 permissions. A bucket can look private in the console but have ACLs granting public access.
• Website hosting — S3 static website hosting requires public access. Sometimes a bucket that was briefly used for a demo site retains its public config.
• Cross-account access gone wrong — a policy meant to grant access to one specific account accidentally uses "Principal": "*", which means everyone.

Step 1: Check the S3 console

Go to S3 in the AWS console. Look at the Access column. Any bucket showing "Public" or "Objects can be public" needs immediate investigation.

AWS also shows a "Block public access" column. Buckets with all four block settings enabled are safe. Anything else needs a closer look.

Step 2: Check Block Public Access settings

Click on each bucket → Permissions → Block public access. There are four settings:

• BlockPublicAcls — prevents new public ACLs from being added
• IgnorePublicAcls — ignores existing public ACLs
• BlockPublicPolicy — prevents new public bucket policies
• RestrictPublicBuckets — restricts access from public policies to only AWS services

If all four are On, the bucket cannot be made public regardless of its policy or ACLs. This is the safest configuration.

Step 3: Check bucket policies

Still in the Permissions tab, look at the Bucket policy. Search for these patterns:

"Principal": "*"
"Principal": {"AWS": "*"}

Either of these means "anyone" — including people outside your AWS account. Combined with an Allow effect, this makes the bucket contents accessible to the world.

Not all "Principal": "*" policies are dangerous — some include Condition clauses that restrict access (e.g., requiring a specific VPC endpoint). But if you see it without conditions, treat it as a problem.

Step 4: Check ACLs

Go to Permissions → Access Control List. Look for:

• Everyone (public access) — if this group has any permissions (List, Read, Write), the bucket is public
• Authenticated users group — this doesn't mean "users in your account." It means "anyone with any AWS account," which is effectively the same as public

Step 5: Check at the account level

Go to S3 → Block Public Access settings for this account. These are account-level overrides that apply to ALL buckets. If all four settings are enabled here, no bucket in the account can be public — this is the nuclear option and it's usually the right one for accounts that don't need any public S3 access.

Step 6: Test it

For any bucket you're unsure about, try accessing it from outside your AWS account:

curl -I https://your-bucket-name.s3.ap-southeast-2.amazonaws.com/

If you get a 200 or 403 with XML listing objects, the bucket is accessible. A 403 Access Denied with no object listing means it's blocked.

What to do when you find a public bucket

• Don't panic — check what's actually in the bucket first. Public buckets containing static website assets are fine. Public buckets containing customer data are a crisis.
• Enable Block Public Access — on the bucket level, turn on all four settings. This immediately locks it down.
• Check CloudTrail — search for GetObject events on that bucket. Were there unexpected downloads from unknown IPs?
• Remove the public policy/ACL — once Block Public Access is on, clean up the underlying policy so it doesn't accidentally become public again if someone toggles the block setting off.

The problem with manual checks

S3 buckets don't stay checked. New buckets get created. Policies get modified. A developer enables static website hosting "just for testing" and forgets to revert it. The audit you did last month is already stale.

This is exactly what plainfra's weekly health report catches. Every week, plainfra scans all your S3 buckets across all your connected AWS accounts — checking policies, ACLs, Block Public Access settings, and website hosting configuration. If anything is publicly accessible that wasn't last week, it shows up in Monday's report.

You can also ask plainfra directly:

> "Are any of our S3 buckets public?"

plainfra checks every bucket, every policy, every ACL, across every region — and gives you a clear yes or no with specifics. It takes about 10 seconds.

The weekly reports matter more though. They run automatically across all your accounts, flag the things that need attention, and land in your inbox without you having to think about it. When a new public bucket appears — because someone will eventually create one — you'll know about it within the week, not when a security researcher emails your CEO.