AWS Trusted Advisor flaw allowed public S3 buckets to go unflagged - Help Net Security

Researchers at Fog Security uncovered a flaw in AWS Trusted Advisor that allowed publicly exposed S3 buckets to go unflagged if certain deny policies were applied, effectively “blinding” the tool. This misconfiguration risk could be exploited by insiders or attackers with compromised credentials to exfiltrate data without detection. AWS addressed the issue in June 2025, updating Trusted Advisor to correctly warn users and notifying customers by email, though researchers argue the communication understated the severity. To mitigate risk, Fog Security recommends enabling Block Public Access at both account and bucket levels, retiring ACLs in favour of IAM policies, and proactively scanning S3 configurations to ensure no unintended public exposure.