Devs love the cloud. They spin up a bucket, push code, and brag about “shipping fast.” Then an auditor shows up and discovers your S3 bucket named test-prod-final-v2 is wide open to the internet. Congrats—you just built a free CDN for hackers.

Best Practice #1: Stop Leaving Storage Buckets Public

Quick Check:

• AWS (S3): look for buckets with AllUsers or AuthenticatedUsers

• Azure (Blob): check containers with public access ≠ None

• GCP (GCS): buckets with IAM bindings for allUsers

Quick Fix:

• AWS: Turn on account-level S3 Block Public Access.

• Azure: Disable container public access, enforce via Policy.

• GCP: Enforce storage.publicAccessPrevention=Enforced.

That’s it. Ten minutes and you’re no longer on Have I Been Pwned’s guest list.

Want More?

This is just 1 of 3 cloud sins. Paid readers get the full breakdown including:

• Best Practice #2: Firewalls that love everyone (a.k.a. 0.0.0.0/0 is not your friend)

• Best Practice #3: IAM gone wild (users without MFA, service accounts with god mode, old keys floating around like your AOL password)

👉 [Upgrade to Root Access Tier] for the full playbook.

JJ – Chief Packet Pusher