Security researchers at WatchTowr have uncovered a severe vulnerability in Amazon S3 cloud storage that could potentially expose major corporations and government agencies to sophisticated cyber attacks. The discovery reveals how abandoned S3 storage buckets can be weaponized to compromise critical infrastructure and distribute malicious software across global networks.
150 Reclaimed S3 Buckets Received 8 Million Requests in Two Months
The investigation identified approximately 150 inactive S3 buckets previously associated with various commercial and open-source applications. In a controlled experiment spanning two months, researchers monitored these reclaimed buckets and documented an astounding 8 million HTTP requests from various organizations worldwide, demonstrating the massive scale of potential exposure.
High-Risk Attack Vector Analysis
The documented requests included attempts to retrieve software updates, virtual machine images, SSLVPN configurations, and pre-compiled binaries for multiple operating systems. This pattern indicates that threat actors could potentially exploit these abandoned buckets to distribute malware and gain unauthorized access to critical systems through trusted update channels.
Impact on Critical Infrastructure and Major Organizations
Connection attempts originated from networks belonging to:
- U.S., UK, and Australian government agencies
- Military installations and NASA
- Fortune 100 and 500 companies
- Major financial institutions and payment processors
Root Cause: S3 Allows Re-Registration of Abandoned Bucket Names
The core issue is that Amazon S3 does not retire bucket names after deletion — a bucket name that was previously used by a legitimate application can be registered by anyone after the original bucket is deleted. While AWS secured the 150 specific buckets WatchTowr identified, the underlying name-reuse mechanism remains unaddressed. WatchTowr recommended AWS implement permanent bucket name retirement after deletion; AWS has not publicly committed to this change.
Preventing Exposure from Abandoned S3 Bucket References
- Audit all hardcoded S3 bucket URLs in application code, infrastructure configs, and CI/CD pipelines for references to deleted buckets.
- Before deleting an S3 bucket: remove all references to it in active software first, then delete and keep a record of the name as permanently retired internally.
- Enable S3 access logging and set alerts for unexpected access spikes on buckets used by software distribution.
- Use S3 Object Lock on buckets distributing software to prevent bucket re-creation from serving tampered content.
