Mistrusted Advisor: When AWS Tooling Leaves Public S3 Buckets Undetected
Jason Kao
fwd:cloudsec Europe 2025 · Day 2 · Main Room
Jason Kao, founder of Fog Security and veteran cloud security researcher, disclosed a set of vulnerabilities in **AWS Trusted Advisor's S3 security checks** that allowed publicly accessible S3 buckets to be reported as secure. By crafting bucket policies that denied Trusted Advisor's service role access to specific S3 API actions, Kao demonstrated that buckets with world-readable (and even world-writable) ACLs and policies would be silently categorized as "ignored" by Trusted Advisor — displaying a green checkmark and zero warnings. The finding was responsibly disclosed through AWS's HackerOne VDP program in May 2025, required two rounds of fixes, and was fully remediated by July 2025.
AI review
Clean, well-scoped vulnerability research that exposes a fundamental flaw in AWS's most widely deployed S3 security check. The Venn diagram methodology for finding the attack surface is elegant, the impact is universal (every AWS account), and the responsible disclosure process including pushing back on AWS's insufficient remediation communication demonstrates research maturity.