Misconfigured, exposed, forgotten: why S3 is still a problem in 2025

Ava Czechowska, Principal Cloud Engineer at ClearPoint, explains why, even in 2025, Amazon Web Services (AWS) S3 Buckets are still a high-risk area. She shares the current risks, why they persist, and how to secure your S3 environment before it becomes an easy target.

Amazon S3, or Amazon Simple Storage Service, is one of the fundamental AWS services, commonly used by AWS customers around the world. Amazon S3 bucket is a container for objects. You can store your data in AWS, by creating an Amazon S3 bucket, and uploading your data to the bucket. When you’re just starting with AWS, Amazon S3 is one of the first services to try out.

Despite significant advancements in cloud security, Amazon S3 buckets continue to be a common initial access vector for adversaries. Even in 2025, with all the new features and best practices, misconfigurations, forgotten buckets, and evolving threat landscapes mean S3 remains a critical challenge.

ClearPoint partners with AWS and other cloud solutions to provide end-to-end support in migrating, modernising, implementing and managing your cloud infrastructure. As your trusted partner, we’ll help you harness the benefits of cloud platforms to empower your success in the digital landscape.

The evolving threat landscape: a cloud pivot

Adversaries are no longer just targeting traditional on-premise infrastructure. Cloud environments are increasingly in their crosshairs, with a noted 75% increase in cloud-focused attacks in 2023 alone, according to the CrowdStrike 2024 Global Threat Report. This shift highlights a critical need for robust cloud security strategies.

The second top security risk, as identified by OWASP, is "Insufficient Threat Detection," according to the OWASP Top 10 Infrastructure Security Risks 2024. It emphasises that even if a breach occurs, the ability to detect it quickly and effectively is often lacking. Most cyberattacks are detected far too late, often only when malicious actions impact internal processes. This is particularly true in complex cloud environments where traditional security tools may not have the necessary visibility.

The statistics and anecdotes about S3

The Datadog 2024 State of Cloud Security Report states that, as of their analysis, 1.48% of AWS S3 buckets were "effectively public," similar to the 1.5% figure from 2023. While they note increasing adoption of public access blocks, this persistent percentage indicates that misconfigurations are still a factor. Another point from the same report highlights the risks posed by long-lived cloud credentials. Such credentials never expire and frequently get leaked in source code, container images, build logs, and application artifacts. The report acknowledges another past research showing that long-lived credentials are the most common cause of publicly documented cloud security breaches.

The Fortinet 2025 Global Threat Landscape Report mentions that "cloud environments remain a top target, with adversaries exploiting persistent weaknesses, such as open storage buckets, over-permissioned identities, and misconfigured services," and that "open storage buckets and over-permissioned identities continue to be leading vectors of attack." Fortinet's 2025 State of Cloud Security Report recognises configuration and misconfiguration management as the third most important operational challenge in cloud security, noting that it has already led to numerous high-profile breaches.

This shows that S3 misconfiguration continues to be a common security risk. There have been many S3 data breaches, several of them described here or here.

Why do S3 misconfigurations still happen?

As CrowdStrike's "Insider’s Playbook: Defending Against Cloud Threats" explains, a cloud misconfiguration is "a poorly chosen, incorrect or absent security setting that exposes the cloud environment to risk." The playbook highlights that because cloud architectures are so complex, the real-time detection of such misconfigurations is difficult.

Other points mentioned in the playbook are:

• Speed over Security: The rapid pace of modern development often encourages engineers to "quickly push projects to production." This velocity can inadvertently sideline security considerations, leading to overlooked configurations.
• Shadow Cloud Environments: The ease of spinning up cloud resources can lead to "shadow cloud environments" – resources deployed without proper oversight or security controls, creating blind spots for security teams.
• Siloed Security Tools: "Today’s cloud security tools are very bespoke, forcing organisations to build their cloud security programs on siloed point products." This fragmented approach makes it difficult to get a holistic view of security posture and can lead to gaps.

What can be done? AWS S3 security enhancements

Thankfully, Amazon is not standing still. They are continually adding robust security features to S3 to help mitigate these risks:

• Automated Security Defaults: As of April 2023, newly created S3 buckets automatically enable S3 Block Public Access and disable Access Control Lists (ACLs). This means public access is blocked by default, and access is controlled primarily through more robust IAM policies.
• Default Encryption for New Objects: Since January 2023, Amazon S3 automatically applies server-side encryption with Amazon S3 managed keys (SSE-S3) for every new object uploaded, unless a different encryption option is specified.
• IAM Access Analyser for S3: This feature helps simplify permissions management by monitoring your existing bucket access policies to verify that they provide only the required access. It identifies and helps you swiftly remediate any buckets with unintended access.
• AWS PrivateLink for S3: This enables you to access S3 directly as a private endpoint within your secure, virtual network (VPC), enhancing network security by removing the need for public IPs or internet gateways.
• S3 Object Lock: This feature supports a write-once, read-many (WORM) model, preventing objects from being overwritten or deleted for a specified period or indefinitely. This is vital for compliance and ransomware protection.
• Amazon S3 Metadata (Preview, July 2025): This new feature provides comprehensive visibility into all objects in S3 buckets through live inventory and journal tables. This allows for SQL-based analysis of both existing and new objects with automatic updates, greatly aiding in security audits and compliance.

Moving forward: A path to secure S3 buckets

While the challenges of securing S3 buckets in a rapidly evolving cloud landscape are real, there's no need for despair. The ongoing innovations from AWS, coupled with a proactive and holistic security approach, can significantly reduce your risk. This involves:

• Embracing Automation: Leveraging AWS's new default security settings and automating security checks.
• Strengthening Identity and Access Management: Implementing least privilege principles and regularly reviewing IAM policies.
• Gaining Centralised Visibility: Overcoming siloed tools by adopting solutions that provide a unified view of your cloud security posture.
• Fostering Collaboration: Breaking down barriers between DevOps and security teams to embed security throughout the development lifecycle.
• Continuous Monitoring and Threat Detection: Investing in robust threat detection capabilities to identify and respond to incidents swiftly, addressing the "Insufficient Threat Detection" challenge head-on.

Securing your S3 environment in 2025 and beyond requires vigilance, the right tools, and a shift in mindset. It's a journey, not a destination, and navigating these complexities effectively is key to protecting your valuable data. 

ClearPoint understands these challenges intimately, and our team can help you navigate them, providing the expertise and solutions to secure your cloud environments effectively. Discover how we can help your organisation.