StackShield

Cloud Storage Exposure

Medium

Detects public AWS S3, GCP, and DigitalOcean buckets.

Estimated fix time: 20 minutes

What is Cloud Storage Exposure?

Misconfigured cloud storage buckets can expose sensitive files to the public internet. This commonly affects AWS S3, DigitalOcean Spaces, Google Cloud Storage, and Azure Blob Storage.

Security Impact

Severity: Critical

  • Data breach
  • Credential exposure
  • User data theft
  • Compliance violations
  • Financial loss

How to Fix AWS S3

1. Block Public Access

# Via AWS CLI
aws s3api put-public-access-block \
    --bucket my-bucket \
    --public-access-block-configuration \
    BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

2. Review Bucket Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyPublicAccess",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalArn": "arn:aws:iam::ACCOUNT-ID:role/MyAppRole"
        }
      }
    }
  ]
}

3. Use Pre-Signed URLs

// Generate temporary URL
use Illuminate\Support\Facades\Storage;

$url = Storage::temporaryUrl(
    'file.pdf',
    now()->addMinutes(30)
);

4. Configure Laravel Filesystem

// config/filesystems.php
'disks' => [
    's3' => [
        'driver' => 's3',
        'key' => env('AWS_ACCESS_KEY_ID'),
        'secret' => env('AWS_SECRET_ACCESS_KEY'),
        'region' => env('AWS_DEFAULT_REGION'),
        'bucket' => env('AWS_BUCKET'),
        'visibility' => 'private', // Important!
    ],
],

Verification Steps

  1. Check bucket public access settings
  2. Try accessing files without authentication
  3. Review bucket policies
  4. Audit IAM permissions
  5. Use AWS Trusted Advisor

Best Practices

  • Default to private access
  • Use pre-signed URLs for temporary access
  • Implement least-privilege IAM policies
  • Enable S3 access logging
  • Use CloudFront with signed URLs
  • Regularly audit permissions
  • File Upload Security
  • Sensitive Files
  • Directory Exposure

Automatically detect this issue

StackShield can automatically scan your Laravel application for this security issue and alert you when it's detected.

Start Free Trial
Was this guide helpful?

Related Security Issues

Sensitive Laravel Files

Checks for exposed sensitive Laravel files (.git, logs, config).

Easy

File Upload Security

Tests file upload endpoints for security vulnerabilities.

Medium