2025-09-16 –, Main Room
Amazon S3 has been around for 19 years and counting. It's 2025 and S3 is still making news for security breaches. Examples include ransomware via SSE-C encryption (Codefinger), supply chain attacks, and misconfigured public S3 buckets.
Security tooling and configuration has evolved over the years to protect data in AWS. There's Block Public Access, Resource Control Policies, Trusted Advisor's complimentary S3 security check, and more. These all help with "secure by default" and securing our data.
But why are we still having security issues? What if those security tools don't accurately reflect the true public exposure of our data? In this talk, we'll cover how we found broken promises with AWS's security tooling - specifically how S3 buckets are evaluated for public access.
We'll cover our original research on how we found multiple undocumented techniques to evade detection and how we used these techniques to bypass detection and configure buckets with public and anonymous permissions. These include technical details such as bucket policies and ACLs that permit for data access open to the world and potential data exfiltration - and how we did this all without triggering a single alert.
