Case Study

Two curl Commands to Full S3 Access

How a routine API assessment uncovered a critical AWS misconfiguration exposing 2.4 GB of confidential data.

Client Confidential (SaaS platform)
Industry Technology / B2B
Duration Discovery in 20 minutes
Severity Critical

The Problem

During a routine API penetration test, we inspected the client's frontend JavaScript and found a hardcoded AWS Cognito Identity Pool ID. The Identity Pool had unauthenticated access enabled, meaning anyone on the internet could obtain temporary AWS credentials — no account, login, or API key required.

Two curl commands were all it took: one to get an anonymous identity, one to exchange it for full AWS credentials with read, write, and delete access to the client's S3 storage.

What We Found

2.4 GB Confidential data exposed
6 Vulnerable S3 buckets
440+ Files enumerated
1+ year Vulnerability undetected

The exposed data included uploads, documents, attachments, forms, and media across six buckets — three production, three staging. An attacker could download every file, upload malware, or delete the entire bucket contents.

Further investigation revealed additional S3 buckets with acl = "public-read", allowing direct HTTP directory listing without any credentials at all.

How We Fixed It

Phase 0

Immediate lockdown (30 minutes)

Removed GetObject and DeleteObject from the Cognito guest IAM role. Retained only PutObject for legitimate uploads. Stopped data exfiltration and deletion immediately.

Phase 1

Prefix scoping (30 minutes)

Restricted PutObject to six specific path prefixes. Added content-type conditions to deny executable uploads. Enabled S3 versioning and blocked public bucket listings.

Phase 2

Per-identity isolation (1 week)

Implemented Cognito identity-based path scoping using ${cognito-identity.amazonaws.com:sub} policy variables. Each user can now only access their own folder.

Phase 3

Presigned URL architecture (planned)

Moving to backend-generated presigned URLs to eliminate browser-side AWS credentials entirely. 15-minute scoped URLs with server-side validation of file sizes and types.

The Result

A vulnerability that had been silently exposing confidential client data for over a year was discovered in 20 minutes and the immediate risk was eliminated in 30 minutes. Full remediation — including per-user isolation and path-scoped permissions — was completed within a week.

The client's infrastructure went from "anyone on the internet has full access" to defense-in-depth with least-privilege IAM policies, per-identity isolation, and a roadmap to eliminate browser credentials entirely.

Tools Used

curl AWS CLI Browser DevTools grep S3 REST API Terraform

Full technical write-up with code samples available on the blog.

Read the Full Post

Worried about your AWS configuration?

We'll find the vulnerabilities before someone else does.

Book a Security Audit