Lab 01 · Data Exposure

S3 Data Exposure (Unintended Public Access)

A practical reference for how S3 exposure happens, what the blast radius looks like, and how to detect and prevent it.

Executive summary

  • What broke: S3 access controls allowed unintended public reads.
  • Why it matters: data exposure is often silent and scalable (scraping).
  • How to catch it: alert on policy/ACL changes and unexpected object reads.
  • How to prevent it: Block Public Access + least-privilege policies + guardrails.

Scope & safety

This is designed as a safe lab concept:

  • Use a dedicated test environment (no real data).
  • Only synthetic objects (e.g., dummy text files).
  • Teardown after testing to minimize cost and risk.

Architecture

Minimal setup: one S3 bucket, a few sample objects, and logging/visibility enabled. Optional: central log bucket + Security Hub integration.

Diagram placeholder: add a simple box diagram here later.

The misconfiguration

Common real-world causes:

  • Public access granted via bucket policy during “quick testing” and never reverted.
  • Over-broad principals (e.g., “*”) or permissive conditions.
  • Confusion between ACLs, bucket policy, and Block Public Access settings.

Why this is dangerous

  • Data exposure: sensitive documents, exports, logs, backups.
  • Recon: leaked configs/keys can unlock deeper compromise.
  • Scale: automated scraping can download large volumes quickly.

Exploitation simulation (isolated lab)

Kept intentionally high-level and defender-focused. The goal is to validate what “exposure” looks like and what your telemetry captures.

  • Confirm an unauthenticated/low-priv principal can read a known test object.
  • Observe which logs record the access and what fields you can alert on.
  • Verify that once fixed, the same access attempt fails (regression check).

Detection strategy

  • Change detection: alert on bucket policy/ACL updates and public-access setting changes.
  • Access detection: watch for unusual read patterns on sensitive prefixes.
  • Config monitoring: continuously evaluate buckets for public exposure.

You’re aiming for both: (1) “someone made it public,” and (2) “someone accessed it.”

Remediation

  • Enable and enforce Block Public Access (account + bucket).
  • Replace permissive policies with least-privilege statements.
  • Rotate/remove any data that should never have been exposed.

Hardening checklist

  • Guardrails to prevent public bucket policies (policy checks / org controls).
  • Centralized logging + alerts for high-risk storage changes.
  • Tagging + ownership on buckets (who is responsible when alerts fire?).
  • Periodic review of buckets and access analyzer findings.

Interview talking points

  • I focused on both prevention (guardrails) and detection (signals + alerts).
  • I defined blast radius and prioritized the fastest safe remediation first.
  • I validated the fix by re-running the same access attempt and confirming it fails.

GitHub Repository

Add repo link

← Back to Projects Next Lab →