Skip to main content

Lightspin: 46% of AWS S3 buckets could be misconfigured and unsafe

Futuristic blue cloud with pixel digital transformation abstract new technology background.

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Cloud misconfigurations expose organizations to significant risk, according to a new analysis of Amazon Web Services (AWS) Simple Storage Service (S3) buckets conducted by Lightspin, a cloud security provider. In-depth research into 40,000 AWS buckets and their cloud storage permissions found that 46% of AWS S3 buckets could be misconfigured and should therefore be considered unsafe, Lightspin said.

s3 misconfigurations are big deal

Above: A diagram that explains how AWS evaluates access and assigns definitions to objects within S3 buckets.

Image Credit: Lightspin

Misconfigured S3 buckets can open your cloud environment up to a huge amount of risk. Public read access could lead to a data breach, while public write access can launch malware or encrypt data to hold your company ransom.

Certain AWS cloud storage permissions are currently complex and even obtuse, as one of the AWS access options is defined as “Objects can be public.” As AWS evaluates the access permissions of all files at the bucket level, rather than the object level, an object’s ACL is not considered. In short, the definition “Objects can be public” doesn’t allow organizations to definitively understand whether their objects are accessible or not. The diagram above can help to visualize which objects would be given this classification.

Lightspin’s research revealed that more than 40% of AWS S3 buckets have this definition attached, on top of the 4% that are defined as public. As part of this research, the company created a free, open source Python tool that scans the cloud environment in full and clarfies which objects are public and which are not.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

Read Lightspin’s full research into the risks of misconfigured S3 buckets.

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.