Do you scan for misconfigured public cloud storage (S3, Azure Blob, GCS) tied to your organisation?
Demonstrate that the organization systematically discovers and remediates publicly accessible or misconfigured cloud storage resources associated with its cloud environments before unauthorized parties can exploit them.
Description
What this control does
This control requires the organization to proactively and continuously scan Internet-accessible cloud storage buckets (AWS S3, Azure Blob Storage, Google Cloud Storage) for misconfigurations that expose data publicly or to unauthorized principals. Scanning is typically performed using automated tools that enumerate storage resources across cloud accounts, evaluate access control lists (ACLs), bucket policies, IAM permissions, and public access settings against a secure baseline. This control addresses a common root cause of cloud data breaches where default or inadvertent permission changes expose sensitive data to the public Internet without the organization's knowledge.
Control objective
What auditing this proves
Demonstrate that the organization systematically discovers and remediates publicly accessible or misconfigured cloud storage resources associated with its cloud environments before unauthorized parties can exploit them.
Associated risks
Risks this control addresses
- Unauthorized public disclosure of sensitive customer data, intellectual property, or regulated information stored in misconfigured buckets
- Credential harvesting from publicly exposed configuration files, API keys, or database backups stored in cloud storage
- Ransomware or cryptomining attacks exploiting write-enabled public buckets to inject malicious payloads or consume resources
- Regulatory penalties and breach notification obligations triggered by inadvertent exposure of personally identifiable information (PII) or protected health information (PHI)
- Supply chain attacks where adversaries inject malicious code into publicly writable storage buckets used for software distribution or CI/CD pipelines
- Competitive intelligence loss from publicly accessible project documentation, financial records, or strategic planning materials
- Shadow IT creating unmanaged storage resources outside security team visibility that remain misconfigured indefinitely
Testing procedure
How an auditor verifies this control
- Obtain inventory of all active cloud subscriptions, accounts, and projects across AWS, Azure, and GCP environments owned or managed by the organization
- Review configuration of automated scanning tools (e.g., Prowler, ScoutSuite, cloud-native services like AWS Access Analyzer, Azure Defender for Storage, or third-party CSPM solutions) used to detect misconfigured storage
- Verify scanning frequency and scope by examining scan schedules, coverage reports, and logs showing all cloud accounts are included in regular assessments
- Select a representative sample of storage resources across each cloud platform and manually verify their access control configurations match scan tool findings
- Review findings repository or ticketing system to identify all publicly accessible or misconfigured storage instances detected in the last 90 days
- Trace a sample of critical or high-severity misconfigurations from detection through remediation, examining ticket resolution evidence, timestamps, and configuration change records
- Interview cloud security and DevOps personnel to confirm roles, responsibilities, and escalation procedures when public storage exposures are discovered
- Test alert mechanisms by requesting evidence of real-time or near-real-time notifications sent when new public buckets are created or permissions are modified to allow public access