How I Discovered an Exposed S3 Bucket Containing Sensitive Log Data

How a single misconfigured S3 bucket exposed sensitive logs and PII — and what it takes to find them.

Omar Ahmed Abdelslam

~3 min read · February 9, 2026 (Updated: February 9, 2026) · Free: Yes

I'm back with another security finding.

Today, I want to share a discovery involving misconfigured cloud storage that led to a significant data leak. As cloud adoption grows, these "open windows" are becoming one of the most common ways sensitive data hits the public web.

Grab your coffee, and let's dive in ☕️

Understanding the Target

During a recent security engagement, my focus shifted toward cloud-native assets. In modern infrastructure, Amazon S3 (Simple Storage Service) is the backbone for storing everything from static images to critical system backups and internal logs.

While the service is secure by default, a single misclick in the "Block Public Access" settings can transform a private archive into a public library.

What are S3 Buckets?

For those who need a refresher, Amazon S3 organizes data into "buckets." Each bucket has its own access control list (ACL) and policy.

The Goal: Store data securely and limit access to specific IAM roles or internal IPs.
The Reality: Developers sometimes enable public read access for testing or to facilitate third-party integrations, forgetting to close the door afterward.

The Discovery Phase: Hunting for "Open Windows"

My reconnaissance workflow involves identifying naming conventions used by an organization for their cloud resources. While analyzing the target's asset list, I identified a bucket that followed a naming pattern often reserved for internal logging and integration data.

Probing for Public Access

I used a simple curl request to check the bucket's permissions. A secure bucket should return a 403 Forbidden error. Instead, I saw this:

curl -i https://[REDACTED-BUCKET-NAME].s3.amazonaws.com/

The response was an XML directory listing. No authentication required. Just an open list of every file stored inside.

Technical Tip: In many cases, the browser might show an "Access Denied" error if you visit the root, but the objects themselves might still be public. Always check the directory listing or try to access common file paths.

Inside, I found a variety of objects, including:

Compressed Archives: Large .zip files containing historical system logs.
Integration Metadata: Logs from third-party document signing and identity verification services.
Operational Telemetry: Internal error logs that exposed backend file paths and server metadata.

Building the Proof of Concept (PoC)

To demonstrate the impact to the triage team, I needed to show that the data wasn't just "junk" metadata, but actual sensitive information.

Step 1: Downloading the Evidence I downloaded a small sample log file to analyze its contents.

wget https://[REDACTED-BUCKET-NAME].s3.amazonaws.com/logs/integration-02-07-2026.log

Step 2: Analyzing for PII Using simple terminal commands, I searched for patterns indicative of sensitive data:

grep -iE "email|token|client_id|auth" integration-02-07-2026.log

The results confirmed the severity. The logs contained:

Customer Metadata: Names and email addresses associated with specific transactions.
API Integration Details: Metadata used for third-party service calls.
Internal Path Disclosure: Absolute paths revealing the internal directory structure of the application servers.

Impact: Why This Matters

An exposed log bucket is a goldmine for an attacker.

Information Disclosure: The exposure of PII (Personally Identifiable Information) triggers immediate regulatory concerns, such as GDPR or CCPA compliance violations.
Reconnaissance for Further Attacks: Knowing internal server paths and how an application communicates with third-party services allows an attacker to craft more sophisticated exploits, such as SSRF or credential stuffing.
Credential Exposure: Often, developers accidentally log authorization headers or temporary tokens, which can lead to full account takeover.

The Remediation

I immediately documented the findings, including the direct URLs to the sensitive files and a summary of the PII discovered.

The security team's response was textbook:

Immediate Isolation: They enabled "Block Public Access" at the bucket level.
Audit: They rotated the internal tokens that were found in the logs.
Cleanup: They implemented a lifecycle policy to ensure that logs are automatically deleted or moved to encrypted, non-public storage after a certain period.

Final Thoughts

S3 leaks are rarely the result of a complex hack; they are usually the result of a simple oversight. If you are managing cloud infrastructure, always audit your buckets for public read permissions and ensure that your logging services aren't writing sensitive "secrets" into plain text files.

Thanks for reading!

— Omar Abdelsalam

#cybersecurity #bugbounty-writeup #cloud-security #infosec #web-app-pentesting