AWS

Tutorials

How to Find All Publicly Accessible S3 Buckets in Your AWS Account

•

January 20, 2025

Publicly accessible S3 buckets are a leading cause of cloud data breaches, exposing millions of sensitive records annually. This guide shows how to use CloudQuery to identify at-risk buckets and enhance your AWS security posture.

By the end of this post, you will:

Learn how to sync your AWS S3 data with CloudQuery.
Understand the risks associated with public S3 buckets.
Run queries to identify publicly accessible buckets using CloudQuery.

What is CloudQuery? #

CloudQuery streamlines cloud asset management by enabling you to query and analyze your cloud data across all regions and cloud providers. Beyond listing publicly accessible S3 buckets, it helps you inventory your cloud assets, monitor compliance, optimize cloud costs, and improve overall governance with a centralized, queryable view of your cloud environment.

How to sync your AWS Cloud Data with CloudQuery #

Here is a step-by-step guide on how to configure the AWS Source integration and use the collected data.

Sign Up for CloudQuery Start by creating a CloudQuery account to get started.
Set Up Your Sync Configure a new sync using the AWS Source Integration. Make sure you have read-only access to your AWS account to enable data syncing.
Configure a new sync using the AWS Source Integration. Make sure you have read-only access to your AWS account to enable data syncing. Refer to the authentication guide for details. For this, you will need to sync all the following S3 data tables:
```
tables: [
  "aws_s3_buckets",
  "aws_s3_bucket_policies",
  "aws_s3_bucket_public_access_blocks",
  "aws_s3_bucket_grants",
  "aws_s3_access_points"
]
```
Run Your Data Sync Click the “Run Sync” button to pull your AWS data into CloudQuery. Once synced, you can query and analyze your EC2 inventory.

Analyzing your Data #

With CloudQuery, you can run queries about your synced data directly in the integrated SQL Editor.

Find All S3 Buckets with Public Policies #

Public policies (e.g., Principal: "*") expose buckets to anyone. Use this query to identify such configurations:

SELECT
   b.name AS bucket_name,
   b.arn AS bucket_arn,
   p.policy_json AS access_details
FROM
   aws_s3_buckets AS b
LEFT JOIN
   aws_s3_bucket_policies AS p
ON
   b.arn = p.bucket_arn
WHERE
   JSONExtractString(p.policy_json, 'Statement[0].Principal') = '*'
   OR JSONExtractString(p.policy_json, 'Statement[0].Effect') = 'Allow';

Find S3 Buckets with Public Grants #

Grants to AllUsers or AuthenticatedUsers allow broad access to bucket contents:

SELECT
   b.name AS bucket_name,
   b.arn AS bucket_arn,
   g.permission AS access_details
FROM
   aws_s3_buckets AS b
LEFT JOIN
   aws_s3_bucket_grants AS g
ON
   b.arn = g.bucket_arn
WHERE
   g.grantee_type IN ('AllUsers', 'AuthenticatedUsers');

Find S3 Buckets with Disabled Public Access Blocks #

Public access blocks prevent accidental exposure. This query finds buckets with these protections disabled:

SELECT
   b.name AS bucket_name,
   b.arn AS bucket_arn,
   pab.public_access_block_configuration AS access_details
FROM
   aws_s3_buckets AS b
LEFT JOIN
   aws_s3_bucket_public_access_blocks AS pab
ON
   b.arn = pab.bucket_arn
WHERE
   JSONExtractBool(pab.public_access_block_configuration, 'BlockPublicAcls') = false
   OR JSONExtractBool(pab.public_access_block_configuration, 'BlockPublicPolicy') = false;

How to Find All Publicly Accessible S3 Buckets in Your AWS Account #

Use this single query to detect all publicly accessible S3 buckets:

-- Query to find all publicly accessible S3 buckets
SELECT *
FROM
(
   -- Extract buckets with overly permissive bucket policies
   SELECT
     b.name AS bucket_name,
     b.arn AS bucket_arn,
     'policy' AS access_type,
     p.policy_json AS access_details
   FROM
     aws_s3_buckets AS b
   LEFT JOIN
     aws_s3_bucket_policies AS p
   ON
     b.arn = p.bucket_arn
   WHERE
     JSONExtractString(p.policy_json, 'Statement[0].Principal') = '*' OR
     JSONExtractString(p.policy_json, 'Statement[0].Effect') = 'Allow'
) AS policy_buckets
UNION ALL
SELECT *
FROM
(
   -- Extract buckets with public grants
   SELECT
     b.name AS bucket_name,
     b.arn AS bucket_arn,
     'grant' AS access_type,
     g.permission AS access_details
   FROM
     aws_s3_buckets AS b
   LEFT JOIN
     aws_s3_bucket_grants AS g
   ON
     b.arn = g.bucket_arn
   WHERE
     g.grantee_type IN ('AllUsers', 'AuthenticatedUsers')
) AS grant_buckets
UNION ALL
SELECT *
FROM
(
   -- Extract buckets with disabled public access blocks
   SELECT
     b.name AS bucket_name,
     b.arn AS bucket_arn,
     'public_access_block' AS access_type,
     pab.public_access_block_configuration AS access_details
   FROM
     aws_s3_buckets AS b
   LEFT JOIN
     aws_s3_bucket_public_access_blocks AS pab
   ON
     b.arn = pab.bucket_arn
   WHERE
     JSONExtractBool(pab.public_access_block_configuration, 'BlockPublicAcls') = false OR
     JSONExtractBool(pab.public_access_block_configuration, 'BlockPublicPolicy') = false
) AS pab_buckets
ORDER BY bucket_name;

Beyond Public Access: Other Key S3 Security Queries #

Buckets Without Encryption Enabled #

Ensuring that your S3 buckets have encryption enabled is critical for protecting sensitive data at rest. Without encryption, data stored in your buckets is more vulnerable to unauthorized access. Use the following query to identify any S3 buckets that lack encryption configurations:

SELECT
   b.name AS bucket_name,
   b.arn AS bucket_arn
FROM
   aws_s3_buckets AS b
LEFT JOIN
   aws_s3_bucket_encryption_rules AS e
ON
   b.arn = e.bucket_arn
WHERE
   e.bucket_arn IS NULL;

List Buckets with No Object Lock Configurations #

Object Lock prevents deletion or modification of objects, which is critical for compliance and data retention. This query checks for buckets without this feature enabled.

SELECT
   b.name AS bucket_name,
   b.arn AS bucket_arn
FROM
   aws_s3_buckets AS b
LEFT JOIN
   aws_s3_bucket_object_lock_configurations AS olc
ON
   b.arn = olc.bucket_arn
WHERE
   olc.bucket_arn IS NULL;

List Buckets with Expired or No Lifecycle Rules #

Lifecycle rules are essential for cost optimization by archiving or deleting old objects. This query finds buckets without lifecycle rules or with expired configurations.

SELECT
    b.nameAS bucket_name,
    b.arn   AS bucket_arn
FROM
    aws_s3_buckets AS b
LEFT JOIN
    aws_s3_bucket_lifecycles AS lc
ON
    b.arn = lc.bucket_arn
WHERE
    lc.bucket_arn IS NULL OR lc.expiration IS NOT NULL;

Wrap Up #

In this blog post, you learned how to identify publicly accessible S3 buckets in your AWS account using CloudQuery. You discovered how to sync your AWS data into CloudQuery, run targeted queries to uncover potential security risks and consolidate everything into a comprehensive solution. With this data, you can take proactive steps to protect sensitive data and strengthen your cloud security posture.

CloudQuery isn’t just about securing S3 buckets. It’s the most customizable cloud governance solution that allows you to pull cloud data from any cloud provider. From smarter audits to better asset inventories, CloudQuery makes it easy for your team to take control of your cloud environments. Start managing your cloud assets more effectively today. Contact us to start using CloudQuery today.

Have questions or need help? Join our growing CloudQuery Developer Community, where you can connect with fellow developers, share insights, and access a wealth of knowledge. Whether you’re exploring new use cases or solving tricky challenges, the community is here to support you.

Finally, let us know how your team is tackling cloud security! Share your thoughts and use cases with us on LinkedIn, X, or in our Community Forum.

FAQs #

Why is it important to check for publicly accessible S3 buckets? #

Publicly accessible S3 buckets pose a significant security risk, as they can expose sensitive data to unauthorized users. Identifying and securing these buckets helps prevent data breaches, compliance violations, and other costly incidents.

What’s the difference between bucket policies, grants, and public access blocks? #

Bucket Policies: Define permissions at the bucket level, specifying who can access the bucket and what actions they can take.
Grants: Set permissions for specific users or groups, often at the object level.
Public Access Blocks: Provide a high-level control to restrict or block public access to buckets, overriding other permissions.

How can I ensure all my S3 buckets are encrypted? #

Run a query to identify buckets without encryption configurations, like the one in this blog post. Then, encryption for those buckets can be enabled using AWS Management Console, AWS CLI, or Infrastructure-as-Code tools.

What should I do if I find a publicly accessible S3 bucket? #

Review the bucket’s permissions to understand why it’s accessible.
Update bucket policies to restrict access.
Enable public access blocks to enforce restrictions at a higher level.
Notify your team and monitor logs for potential unauthorized access.

Written by Joe Karlsson

Joe Karlsson (He/They) is an Engineer turned Developer Advocate (and massive nerd). Joe empowers developers to think creatively when building applications, through demos, blogs, videos, or whatever else developers need.

On this page