AWS S3 Buckets: Visible endpoint

Although not a literal secret, the Amazon S3 Bucket URL should be kept confidential, stored safely and not hardcoded.

Since every bucket or object is potentially accessible from anywhere, with the right settings allowing public access a bucket or object can be open to the world. This is where the security risk lies.

Even if an endpoint is opaque, it still is a network surface of attack. For example, what can be seen as a secure host today, is a vulnerable host tomorrow, given that an exploit has been found (many times 0-day).

Social engineering can be performed more effectively, if the hacker knows an internal detail about your organization, such as an S3 Bucket.


AWS S3 Bucket endpoint is hardcoded or exposed in configuration files, infrastructure code, or business services.



  1. Use key-value store, for distributing configurations to you environments, such as:
    1. Consul
    2. etcd


  1. Prefer a 12-factor architecture