StackShield

How to Secure Cloud Storage in Laravel

Detects public AWS S3, GCP, and DigitalOcean buckets.

infrastructure security Medium fix 20 minutes

What This Check Detects

Detects public AWS S3, GCP, and DigitalOcean buckets.

Full Documentation

What is Cloud Storage Exposure?

Misconfigured cloud storage buckets can expose sensitive files to the public internet. This commonly affects AWS S3, DigitalOcean Spaces, Google Cloud Storage, and Azure Blob Storage.

Security Impact

Severity: Critical

  • Data breach
  • Credential exposure
  • User data theft
  • Compliance violations
  • Financial loss

How to Fix AWS S3

1. Block Public Access

# Via AWS CLI
aws s3api put-public-access-block \
    --bucket my-bucket \
    --public-access-block-configuration \
    BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

2. Review Bucket Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyPublicAccess",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalArn": "arn:aws:iam::ACCOUNT-ID:role/MyAppRole"
        }
      }
    }
  ]
}

3. Use Pre-Signed URLs

// Generate temporary URL
use Illuminate\Support\Facades\Storage;

$url = Storage::temporaryUrl(
    'file.pdf',
    now()->addMinutes(30)
);

4. Configure Laravel Filesystem

// config/filesystems.php
'disks' => [
    's3' => [
        'driver' => 's3',
        'key' => env('AWS_ACCESS_KEY_ID'),
        'secret' => env('AWS_SECRET_ACCESS_KEY'),
        'region' => env('AWS_DEFAULT_REGION'),
        'bucket' => env('AWS_BUCKET'),
        'visibility' => 'private', // Important!
    ],
],

Verification Steps

  1. Check bucket public access settings
  2. Try accessing files without authentication
  3. Review bucket policies
  4. Audit IAM permissions
  5. Use AWS Trusted Advisor

Best Practices

  • Default to private access
  • Use pre-signed URLs for temporary access
  • Implement least-privilege IAM policies
  • Enable S3 access logging
  • Use CloudFront with signed URLs
  • Regularly audit permissions

Related Issues

  • File Upload Security
  • Sensitive Files
  • Directory Exposure

Related Security Checks

Sensitive Laravel Files

Checks for exposed sensitive Laravel files (.git, logs, config).

Easy fix 10 minutes

File Upload Security

Tests file upload endpoints for security vulnerabilities.

Medium fix 30 minutes
Free security check

Is your Laravel app exposed right now?

34% of Laravel apps we scan have at least one critical issue. Most teams don't find out until something breaks. Our free scan checks your live application in under 60 seconds.

18% have debug mode on
72% missing security headers
12% have exposed .env
Scan My App Free No signup required. Results in 60 seconds.