The 10 Most Common AWS S3 Misconfigurations (And How to Fix Them)
April 3, 2026 · 8 min read
S3 misconfiguration remains one of the most common causes of accidental data exposure in AWS environments. Despite AWS enabling Block Public Access by default for new buckets since 2023, millions of buckets created before that change remain at risk.
1. Block Public Access not fully enabled
AWS provides four Block Public Access settings. All four should be enabled unless you are intentionally hosting public content — and even then, only on the specific bucket that requires it. This is covered by FixMyCloud rule AWS-S3-003.
2. Server-side encryption disabled
S3 buckets should have server-side encryption enabled. AWS now enables SSE-S3 encryption by default for new buckets, but existing buckets may still be unencrypted. This maps to rule AWS-S3-004.
Automatically detect S3 misconfigurations
FixMyCloud scans your S3 buckets across 12 checks including encryption, access logging, versioning, CORS, and lifecycle policies — mapped to SOC 2, PCI-DSS, and HIPAA.
Start a free scan →