← Lessons

quiz vs the machine

Silver1160

Security

Public Object Storage Exposure

How a misconfigured bucket leaks sensitive files to the whole internet.

3 min read · intro · beat Silver to climb

A Common Leak

A misconfigured object store is one of the most frequent causes of data leaks. When a bucket or its objects are set to public read, anyone who finds the name can download every file, often without any authentication.

How It Happens

  • A permissive bucket policy or an access control list grants public access.
  • Files are uploaded assuming the bucket is private when it is not.
  • Predictable names let crawlers and scanners discover the bucket.

Defenses

  • Set buckets to private by default and use account level public access blocks.
  • Grant access through signed URLs or scoped credentials instead of public reads.
  • Continuously scan for public buckets and alert on configuration drift.

Key idea

Public read buckets leak data to anyone who finds them, so default to private, block public access at the account level, and share via signed URLs.

Check yourself

Answer to earn rating on the learn ladder.

1. What is the core mistake behind a leaky bucket?

2. How should sensitive files be shared instead?