Victor GrenuLast week, I discovered a public Amazon S3 bucket belonging to a French bank that contained approximately 16GB of data (122 339 files), including static assets such as CSS, JavaScript, and images, as well as official documents, schema, unverified IBANs and API documentation.
While the bucket was intentionally left open, the bank's security team promptly responded to my report and corrected the issue.
However, there are several potential risks associated with leaving an Amazon S3 bucket open to the public.
By knowing the name of the bucket, I was able to download its entire contents, potentially gain access to sensitive information (naming convention, API endpoints), and even deduce the bank's AWS Account ID (prod?) and AWS Organization ID.
In today's AWS Security landscape, it is generally considered best practice to use a CloudFront distribution to expose static files rather than leaving S3 buckets open to the public.
As a fun side note, I discovered that Google was also indexing the bucket's contents.
Despite the security lapse, the bank was grateful for my report and even rewarded me with a $10 credit as a customer.
Overall, it was a reminder that security is an ongoing effort, and we should all be vigilant in protecting our assets.
All GNU social JP content and data are available under the