MinIO: When Your S3-Compatible Storage Lists Everything
MinIO is S3-compatible object storage widely used in self-hosted cloud deployments. Misconfigured anonymous access policies expose entire buckets to listing and download. We walk through detecting and remediating this during S3 and object storage penetration testing.
S3-compatible doesn't mean S3-secure
MinIO implements the S3 API, but it doesn't inherit AWS S3's default security posture. AWS S3 blocks public access by default since 2023. MinIO has no such default. buckets are accessible based on whatever policy is configured, and the default is often no policy at all.
The enumeration chain
GET /. returns an XML listing of all buckets if anonymous access is allowedGET /{bucket}. lists all objects in a bucketGET /{bucket}/{key}. downloads any object directly
No authentication headers, no signed URLs, no access tokens. Just plain HTTP GETs.
What we find in exposed MinIO instances
MinIO is popular for storing:
- Database backups. full SQL dumps with credentials in connection strings
- Log archives. application logs with tokens and PII
- User uploads. documents, images, and files intended to be private
- Build artifacts. compiled binaries, Docker images, and deployment packages
How we detect this
Our scanner:
- Requests
/and checks for the S3 ListBuckets XML response - Enumerates each discovered bucket
- Samples object keys to assess data sensitivity
- Tests anonymous PUT to check for write access
Defense
- Set bucket policies that deny anonymous access
- Enable MinIO's built-in identity management
- Use
mc admin policyto configure granular access - Never expose MinIO's API port directly to the internet
- Use presigned URLs for temporary access to specific objects
Want us to check your MinIO setup?
Our scanner detects this exact misconfiguration. plus dozens more across 38 platforms. Free website check available, no commitment required.