AWS’s **Trusted Advisor** tool, designed to alert customers if their **S3 storage buckets** are publicly exposed, was found to be vulnerable to manipulation by **Fog Security researchers**. By tweaking **bucket policies** or **ACLs** (Access Control Lists) and adding **deny policies** (e.g., blocking `s3:GetBucketPolicyStatus`, `s3:GetBucketPublicAccessBlock`, or `s3:GetBucketAcl`), attackers or misconfigured users could make buckets **publicly accessible** while preventing Trusted Advisor from detecting the exposure. This flaw allowed **potential data exfiltration** without triggering security warnings, posing risks of **unauthorized access to sensitive data**.The issue was privately reported to AWS, which implemented fixes in **June 2025** to correct Trusted Advisor’s detection logic. However, concerns remain about **inadequate user notifications**, as some accounts (including the researcher’s test account) did not receive alerts, leaving them unaware of the need to recheck bucket permissions. AWS recommended enabling **Block Public Access settings**, retiring **legacy ACLs**, and using **IAM policies** for stricter control. Fog Security also released an **open-source scanning tool** to help users identify misconfigured S3 buckets.The vulnerability highlights risks of **insider threats (malicious or accidental)**, **credential compromise**, and **misconfigurations** leading to **unintended public exposure of data**, potentially affecting **customer trust, compliance, and data security**.
Source: https://www.helpnetsecurity.com/2025/08/21/aws-s3-public-bucket-warning-alert-trusted-advisor/
TPRM report: https://www.rankiteo.com/company/amazon-web-services
"id": "ama505082225",
"linkid": "amazon-web-services",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'All AWS customers using S3 '
'buckets and Trusted Advisor '
'(potential impact depends on '
'bucket configurations)',
'industry': 'Technology/Cloud Computing',
'location': 'Global',
'name': 'Amazon Web Services (AWS)',
'size': 'Large Enterprise',
'type': 'Cloud Service Provider'}],
'attack_vector': ['Insider Threat (Malicious or Accidental)',
'Compromised AWS Credentials',
'Policy Manipulation'],
'customer_advisories': ['Enable Block Public Access Settings.',
'Review and retire ACLs in favor of IAM policies.',
'Scan S3 buckets for unintended public exposure using '
'tools like Fog Security’s open-source scanner.'],
'data_breach': {'data_exfiltration': 'Possible (if attackers exploit the '
'misconfiguration)',
'personally_identifiable_information': 'Possible (if stored '
'in affected buckets)',
'sensitivity_of_data': 'Varies (high risk if buckets contain '
'sensitive/regulated data)',
'type_of_data_compromised': 'Potential exposure of any data '
'stored in misconfigured S3 '
'buckets (e.g., PII, financial '
'data, proprietary information)'},
'date_resolved': '2025-06',
'description': 'Fog Security researchers discovered a vulnerability in AWS’s '
'Trusted Advisor tool, which failed to detect publicly exposed '
'S3 storage buckets due to specific bucket policy '
'misconfigurations. Attackers or malicious insiders could '
'exploit this to make S3 buckets publicly accessible without '
'triggering Trusted Advisor warnings. The issue was privately '
'reported to AWS and fixed in June 2025, but concerns remain '
'about inadequate customer notifications and potential '
'lingering misconfigurations.',
'impact': {'brand_reputation_impact': 'Risk of reputational damage for AWS '
'and affected customers if data '
'breaches occur due to undetected '
'exposures',
'data_compromised': 'Potential exposure of sensitive data in '
'publicly accessible S3 buckets (scope depends '
'on bucket contents)',
'identity_theft_risk': 'High (if PII is stored in affected '
'buckets)',
'legal_liabilities': 'Potential compliance violations (e.g., GDPR, '
'CCPA) if sensitive data is exposed',
'operational_impact': 'False sense of security due to undetected '
'public bucket exposure; potential for '
'unauthorized data access or exfiltration',
'payment_information_risk': 'High (if payment data is stored in '
'affected buckets)',
'systems_affected': ['AWS S3 Buckets',
'Trusted Advisor Security Checks']},
'investigation_status': 'Resolved (fix implemented by AWS in June 2025)',
'lessons_learned': ['Over-reliance on automated security tools (e.g., Trusted '
'Advisor) can create blind spots if their detection '
'mechanisms are bypassable.',
'Complex IAM/bucket policies increase the risk of '
'misconfigurations that may not be caught by standard '
'checks.',
'Proactive manual reviews and third-party tools are '
'critical for validating cloud security postures.',
'Customer notifications for security issues must be '
'comprehensive and clear about risks.'],
'motivation': ['Data Exfiltration',
'Unauthorized Data Access',
'Covert Persistence',
'Accidental Exposure'],
'post_incident_analysis': {'corrective_actions': ['AWS updated Trusted '
'Advisor to bypass or '
'account for `Deny` '
'policies that previously '
'blocked its checks.',
'Customer guidance issued '
'to enforce Block Public '
'Access and migrate from '
'ACLs to IAM policies.',
'Open-source tool provided '
'by Fog Security to help '
'customers audit S3 '
'configurations.'],
'root_causes': ['Trusted Advisor’s inability to '
'detect public bucket status when '
'specific `Deny` policies block '
'its checks '
'(`s3:GetBucketPolicyStatus`, '
'`s3:GetBucketPublicAccessBlock`, '
'`s3:GetBucketAcl`).',
'Overlap between legacy ACLs and '
'modern bucket policies creating '
'confusion and misconfiguration '
'risks.',
'Lack of redundant validation '
'mechanisms to cross-check bucket '
'exposure status.']},
'recommendations': ['Enable AWS Block Public Access Settings at both account '
'and bucket levels.',
'Replace legacy ACLs with IAM policies for finer-grained '
'access control.',
'Regularly audit S3 bucket configurations using AWS tools '
'and third-party scanners (e.g., Fog Security’s '
'open-source tool).',
'Monitor for unusual access patterns or policy changes in '
'S3 buckets.',
'AWS should improve the clarity and reach of security '
'advisories to ensure all affected customers are '
'notified.'],
'references': [{'source': 'Help Net Security'},
{'source': 'Fog Security Research'}],
'regulatory_compliance': {'regulations_violated': ['Potential violations of '
'GDPR, CCPA, HIPAA, or '
'other data protection '
'laws if sensitive data is '
'exposed']},
'response': {'communication_strategy': ['AWS sent emails to customers (though '
'coverage may be incomplete)',
'Public disclosure via cybersecurity '
'news outlets (e.g., Help Net '
'Security)'],
'containment_measures': ['AWS implemented fixes to Trusted '
'Advisor in June 2025 to correctly '
'detect misconfigured buckets',
'Emails sent to customers notifying '
'them of the issue and fixes'],
'incident_response_plan_activated': True,
'recovery_measures': ['AWS Trusted Advisor now displays correct '
'bucket status',
'Open-source tool released by Fog Security '
'to scan S3 resources for access issues'],
'remediation_measures': ['Customers advised to enable Block '
'Public Access Settings at account and '
'bucket levels',
'Switch from ACLs to IAM policies '
'recommended',
'Manual review of S3 bucket '
'configurations urged'],
'third_party_assistance': ['Fog Security (researchers who '
'discovered the issue)']},
'stakeholder_advisories': 'AWS sent emails to customers (potentially '
'incomplete); public disclosure via cybersecurity '
'media.',
'threat_actor': ['Malicious Insiders (e.g., disgruntled employees)',
'External Attackers with Compromised Credentials',
'Accidental Misconfiguration by Legitimate Users'],
'title': 'AWS Trusted Advisor Misconfiguration Vulnerability Allows Public S3 '
'Bucket Exposure Without Detection',
'type': ['Misconfiguration', 'Security Bypass', 'Data Exposure Risk'],
'vulnerability_exploited': 'AWS Trusted Advisor Bypass via S3 Bucket Policy '
'Misconfiguration (Deny Rules for '
'`s3:GetBucketPolicyStatus`, '
'`s3:GetBucketPublicAccessBlock`, '
'`s3:GetBucketAcl`)'}