The bucket you forgot was public
A single misconfigured S3 bucket policy can expose gigabytes of customer data to anyone who finds the name. No exploit, no credentials. Here is the oldest cloud mistake, still happening, and the fix.
The oldest cloud breach is still one of the most common: nobody attacked anything, the door was just left open.
What it is
Amazon S3 buckets are private by default, but a bucket policy, an ACL, or a disabled Block Public Access setting can expose their contents to anyone, sometimes to the entire internet. An attacker, researcher, or bot who discovers the bucket name lists and downloads every object, with no credentials and no exploit. This is T1530 (data from cloud storage) with T1580 (cloud infrastructure discovery).
Why it works
One setting flips an entire bucket from private to public, names are guessable or leaked, and automated scanners find exposed buckets constantly.
How to detect it
Look for public-access findings from S3 Block Public Access, IAM Access Analyzer, or config rules, anonymous GetObject and ListBucket in access logs, and CloudTrail policy changes that open a bucket.
The fix that holds
Enable S3 Block Public Access at the account level, use Access Analyzer to find exposure, deny public bucket policies with service control policies, encrypt sensitive data, and alert on policy changes that broaden access. Default to private and require a documented reason for any exception.
Practice it
We built an S3 exposure scenario in GraphLattice Range so teams learn to find and close open buckets before a scanner does.