AWS Trusted Advisor vulnerability hides public S3 buckets

AWS’s Trusted Advisor tool is designed to alert customers about the public exposure of their S3 storage buckets. However, recent findings by Fog Security researchers indicate that this tool can be manipulated to report buckets as not exposed, even when they are. Amazon S3 offers various access protection mechanisms, including IAM users, roles, and policies, bucket policies, and access control lists (ACLs). While AWS encourages the use of bucket policies over ACLs, it also provides a “Block Public Access” feature to prevent unintended public access. By default, new S3 buckets block all public access, but users may disable this feature for public content.

Fog Security’s research revealed that by adjusting certain bucket policies, S3 buckets could be made publicly accessible without Trusted Advisor detecting the change. This manipulation can occur by setting the S3 bucket policy or ACL to allow public access and adding deny policies that prevent Trusted Advisor from checking the bucket’s status. Such policy changes could be executed by malicious insiders or attackers with compromised credentials, potentially leading to data exfiltration without raising alarms. Fortunately, AWS has addressed this issue, and as of June 2025, Trusted Advisor now accurately displays bucket statuses and warns users of potential exposure. AWS has communicated this fix to users, although concerns remain regarding the adequacy of the notifications sent. Fog Security advises AWS S3 users to enable comprehensive security checks to ensure that only intended buckets are publicly accessible.