Valtik Studios
Back to blog
MinIOhighUpdated 2026-04-17orig. 2026-01-0910 min

MinIO: When Your S3-Compatible Storage Lists Everything

MinIO is S3-compatible object storage widely used in self-hosted cloud deployments. Misconfigured anonymous access policies expose entire buckets to listing and download. We walk through detecting and remediating this during S3 and object storage penetration testing.

Phillip (Tre) Bucchi headshot
Phillip (Tre) Bucchi·Founder, Valtik Studios. Penetration Tester

Founder of Valtik Studios. Penetration tester. Based in Connecticut, serving US mid-market.

S3-compatible means different things than "S3-secure"

Every team that self-hosts S3 via MinIO thinks they understand S3 security. The API is identical. SDK calls work the same. Bucket policies read the same.

They aren't the same. MinIO inherits the S3 API but not AWS's hardening posture. AWS S3 blocks public access by default since 2023. MinIO ships with no equivalent default. Buckets are accessible based on whatever policy is configured, and the default is often no policy at all.

MinIO assessments open the same way. Hit the deployment. Run one specific request. Get confirmation of anonymous listing on a production bucket. Then find every other bucket with that same config.

The enumeration chain

  1. GET /. returns an XML listing of all buckets if anonymous access is allowed
  2. GET /{bucket}. lists all objects in a bucket
  3. GET /{bucket}/{key}. downloads any object directly

No authentication headers, no signed URLs, no access tokens. Just plain HTTP GETs.

What we find in exposed MinIO instances

MinIO is popular for storing:

  • Database backups. full SQL dumps with credentials in connection strings
  • Log archives. application logs with tokens and PII
  • User uploads. documents, images, and files intended to be private
  • Build artifacts. compiled binaries, Docker images, and deployment packages

How we detect this

Our scanner:

  1. Requests / and checks for the S3 ListBuckets XML response
  2. Enumerates each discovered bucket
  3. Samples object keys to assess data sensitivity
  4. Tests anonymous PUT to check for write access

Defense

  • Set bucket policies that deny anonymous access
  • Enable MinIO's built-in identity management
  • Use mc admin policy to configure granular access
  • Never expose MinIO's API port directly to the internet
  • Use presigned URLs for temporary access to specific objects
minios3object storagedata exposurecloud securitypenetration testingvulnerability assessmentresearch

Want us to check your MinIO setup?

Our scanner detects this exact misconfiguration. plus dozens more across 38 platforms. Free website check available, no commitment required.

Free Security CheckRequest Full Audit
Get new research in your inbox
No spam. No newsletter filler. Only new posts as they publish.
Related Reading
Elasticsearch13 min
Elasticsearch: The Open Cluster Epidemic
Elasticsearch ships with no authentication by default. The _search endpoint returns every indexed document, _cat/indices lists every index,
Firebase12 min
Firebase: Anonymous Auth With Open Firestore Rules
Firebase allows anonymous authentication by default. Combined with permissive Firestore security rules, the infamous allow read, write: if t
Redis9 min
Redis: CONFIG GET requirepass Returns Empty
Redis deployed without authentication is one of the most exploited misconfigurations on the internet. Attackers use CONFIG SET to write SSH