Will It Vibe logoWill It Vibe?
TF-001High severity-15 points

S3 bucket exposed with a public-read ACL

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A canned ACL of public-read or public-read-write makes bucket objects (or the whole bucket) readable, and writable, by anyone on the internet.

Why it matters

A public-read or public-read-write ACL makes the bucket contents readable, and in the write case modifiable, by anyone on the internet. This is one of the most common causes of data leaks from cloud storage, and objects added later inherit the same exposure. Attackers routinely scan for public buckets and download whatever they find.

How to fix it

Set acl to "private", or drop the acl argument and rely on the bucket owner enforced default. Control any legitimately public access through a narrow bucket policy and an aws_s3_bucket_public_access_block with all four guards set to true. If a static site needs public objects, front it with CloudFront and an origin access identity instead of opening the bucket.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks