What cloud misconfigurations does VeilScan detect?

VeilScan detects publicly accessible S3 buckets and other cloud storage endpoints associated with your domain, cloud storage URLs referenced in your web assets, subdomain CNAME records pointing to cloud services, and patterns indicating misconfigured cloud-hosted infrastructure. Detection is purely external — no cloud credentials or AWS access are required.

Can VeilScan detect a public S3 bucket without AWS credentials?

Yes. VeilScan identifies S3 bucket names associated with your domain through DNS patterns, web asset references, and bucket naming conventions, then tests whether those buckets allow unauthenticated public access. This is the same approach an attacker would use — no credentials required.

Does VeilScan access data inside public cloud storage?

VeilScan confirms whether a bucket or storage endpoint is publicly accessible and lists the existence of files where the bucket allows directory listing. It does not download or store the contents of any files found. The proof evidence for a public S3 finding shows that the bucket is publicly accessible — not what is inside it.

Feature

Cloud Misconfiguration Detection: Find Exposed Storage First

Quick Answer: VeilScan identifies S3 buckets and cloud storage endpoints associated with your domain and tests whether they allow unauthenticated public access. Detection is purely external — no cloud credentials or IAM access are required. Publicly accessible cloud storage is one of the most common sources of Critical findings in VeilScan scans and a frequent cause of real-world data breaches.

Why is cloud misconfiguration a major attack surface risk?

Cloud storage services like AWS S3, Google Cloud Storage, and Azure Blob Storage default to private access — but it is easy to accidentally make a bucket public through misconfiguration. Development teams sometimes make test buckets public for convenience and forget to revert the setting. Infrastructure-as-code templates may include public-access permissions that propagate to production.

A publicly accessible S3 bucket can expose database backups, configuration files, application logs, customer data exports, API keys embedded in configuration, and private code. These are among the highest-value targets for attackers and among the most commonly misconfigured assets in cloud-hosted infrastructure.

How does VeilScan detect cloud misconfigurations without credentials?

VeilScan uses external reconnaissance techniques to identify cloud assets associated with your domain:

DNS patterns — CNAME records pointing to cloud storage endpoints (e.g. assets.yourcompany.com CNAME yourcompany.s3.amazonaws.com) reveal bucket names and regions
Web asset references — links in HTML, JavaScript, and CSS files that reference cloud storage URLs
Naming convention enumeration — common S3 bucket naming patterns based on your domain name and company name
Public access testing — HTTP requests to identified bucket endpoints to determine whether unauthenticated access is permitted

This is the same approach a motivated attacker would use. VeilScan surfaces the findings before the attacker does.

What happens when a public S3 bucket is found?

When VeilScan confirms a bucket or cloud storage endpoint allows unauthenticated public access, it records the finding at Critical or High severity depending on the evidence available:

If the bucket allows directory listing and sensitive file types are visible, the finding is Critical — with the file listing as proof evidence
If the bucket is publicly accessible but directory listing is disabled or only non-sensitive content is apparent, the finding is High

The proof evidence in the report shows the HTTP response confirming public accessibility — giving your team the exact evidence needed to reproduce and remediate the issue. VeilScan does not download or store file contents.

Does VeilScan scan cloud configuration beyond storage?

VeilScan focuses on externally visible cloud misconfiguration signals that are detectable without credentials. This includes cloud storage exposure, cloud-hosted admin panels and APIs, and infrastructure patterns that indicate specific cloud services are in use. Internal cloud configuration — IAM policies, security groups, VPC settings — requires credentialed cloud-native tools and is outside VeilScan's external-only scope.

See: What is a Public S3 Bucket? · Asset Discovery feature · Proof-Based Findings feature

What are the most common questions?

Is cloud misconfiguration detection included on the free plan?

Yes. Cloud misconfiguration checks are included in the free scan. Findings detected appear at their appropriate severity. Critical cloud findings (confirmed publicly accessible buckets with sensitive content) require a paid plan to view in full. See all plans.

Does VeilScan work for Google Cloud Storage or Azure Blob Storage?

VeilScan's cloud misconfiguration detection is primarily focused on AWS S3. Detection signals for other cloud providers are included where external DNS and URL patterns allow identification. Contact hello@veilscan.net if you use a specific provider and want to understand coverage.

How do I fix a public S3 bucket finding?

In the AWS S3 console, navigate to the bucket, go to Permissions, and enable Block Public Access. If the bucket intentionally serves public content (a static website), review whether the content is appropriate for public access. Remove any sensitive files and restrict access to specific paths using a bucket policy rather than full public access. VeilScan's finding includes specific remediation guidance for each case.

Check whether your cloud assets are publicly exposed. The free scan includes cloud misconfiguration checks for one domain. Start your free scan → · Back to all features