← Back to Labs L2 Intermediate

AWS · Storage · Applied Public Exposure Risk

AWS S3 Public Access Risk

Applied L2 LAB for understanding how S3 public exposure emerges from bucket policies, ACL history, Block Public Access settings, identity permissions, resource policies, and organization guardrails.

Status Intermediate
Cloud AWS
Domain Storage
Track L2 Applied

Overview

S3 public access risk is an applied exposure scenario. It combines resource policy reasoning, identity permissions, public-access safety controls, explicit deny, and organization guardrails.

L2 Intermediate Applied risk Storage exposure No live mutation

Concept Deep Dives

Expand these concepts when studying S3 public exposure or explaining cloud storage risk to students and executives.

What is S3 public access?

S3 public access means an unauthenticated or broadly external principal can reach bucket or object data. Public access may come from bucket policies, object ACLs, or other resource-side exposure patterns.

What is Block Public Access?

Block Public Access is an S3 safety control that can block public bucket policies, public ACLs, or public access paths. It helps prevent accidental exposure even when a policy attempts to allow broad access.

Why do ACLs still matter?

Some environments have legacy ACL history. Even when teams mostly use bucket policies, reviewers should understand whether object-level ACLs ever contributed to public access.

Why is S3 exposure not a single setting?

Public exposure is the result of multiple layers: bucket policy, ACLs, Block Public Access, identity authority, explicit deny, and organization guardrails.

What should executives understand?

S3 public access is a business exposure risk. The important question is not only whether a bucket is public, but whether governance prevents sensitive data from becoming public again.

Visual S3 Exposure Model

S3 public access risk is easiest to understand as an exposure decision path.

Internet Principal Anonymous user, external user, or broad principal
Bucket Policy / ACL Resource-side public allow or deny path
Block Public Access S3 public-access safety control
Exposure Decision Public, blocked, or denied
Public Allow Policy or ACL allows broad access
+
Block Public Access Enabled Safety layer blocks exposure
Blocked Public path is stopped
Public Allow Policy or ACL allows broad access
+
No Public Block No safety layer blocks the path
Exposure Possible Unless SCP or explicit deny blocks it
Learning rule: S3 public access risk is not one setting. It is the final exposure state after public allow, public block, guardrail, and deny layers are evaluated together.

Example Scenario

A bucket policy allows public object reads. Block Public Access is disabled. No explicit deny or SCP prevents the exposure. 

Bucket policy: Principal "*" can s3:GetObject
Block Public Access: disabled
Explicit deny: none
Organization guardrail: none
Final decision: PUBLIC EXPOSURE POSSIBLE

Authorization Layers

This applied lab connects all four L2 authorization concepts.

IAM Policy Evaluation Can a principal read or modify S3 access? Permission Boundary Basics Can a delegated principal exceed approved authority? SCP Guardrail Reasoning Can an account create or preserve public S3 exposure? Resource Policy Evaluation Does the bucket policy or object access model allow public access?

Bridge to Principal LABs

S3 exposure often depends on identity authority. A principal that can modify bucket policy, disable safety controls, or pass a role with S3 authority can change exposure state.

iam:PassRole Privilege Escalation Passed roles can grant storage access or modify exposure paths. Cross-Account Role Escalation Cross-account trust can expand who can reach or modify storage resources. Role Chaining Escalation Chained identities may eventually reach storage administration authority.

Governance Boundary

This lab is read-only and deterministic. 

Runtime = source of truth
OPA = decision authority
Aegis = bounded intelligence
Frontend = rendering only
  • Does not exploit AWS
  • Does not mutate infrastructure
  • Does not deploy live resources
  • Does not enumerate real buckets
  • Does not access public objects
  • Does not issue runtime tokens
  • Does not override OPA

Source Artifacts

  • metadata.json
  • architecture.md
  • index.html