Cloud Storage Bucket Misconfiguration Scanner
Derives candidate bucket names from your domain (plus any you supply) and checks AWS S3 and Google Cloud Storage for publicly listable buckets — a leading cause of cloud data leaks. Read-only checks against the providers’ public endpoints.
Cloud Bucket Scanner is a Pro tool
Specialized scans are part of ONEROXE Pro. Sign in and upgrade to run the cloud bucket scanner.
- ✓Publicly listable AWS S3 buckets (world-readable object listing)
- ✓Publicly listable Google Cloud Storage buckets
- ✓Existing-but-private buckets (name taken, access denied)
- ✓Candidate names derived from your domain + common suffixes
https://example.com/ — sample finding evidencePro from ₹349/mo ($12/mo).
What this assesses
How it works
Read-only· list-only GETs to AWS/GCS- 1We derive candidate bucket names from your domain and company name.
- 2We send list-only GET requests to AWS S3 and Google Cloud Storage to see which buckets exist and are publicly listable.
- 3We only read listings on the cloud providers’ own endpoints — nothing is uploaded or modified.
What it doesn’t do: It is name-based discovery: a clean result means our guesses were not public, not a proof that no bucket exists.
Why it matters
Misconfigured, world-readable storage buckets are behind a long list of major data breaches. Because bucket names are often predictable from the brand, attackers guess and enumerate them constantly — finding and closing public buckets first is essential.
Frequently asked questions
Why does this require sign-in?
Bucket checks are authorisation-sensitive — you should only run them against storage you own or are permitted to test. Sign-in ties the scan to an account, and you must confirm you are authorised.
Does a clean result mean I have no public buckets?
No. This guesses names from your domain and any you provide — it cannot enumerate every possible bucket. A clean result means none of the checked names were public.
Is it legal to scan buckets?
Only scan storage you own or are explicitly authorised to test. Accessing third-party buckets without permission may be unlawful — this tool is for assessing your own exposure.