S3 bucket is not a known shadow resource owned by another account
s3_bucket_shadow_resource_vulnerability
Amazon S3 buckets using predictable service naming (e.g., aws-glue-assets-<account>-<region>, sagemaker-<region>-<account>) are identified and their ownership checked.
Buckets tied to your account that match these patterns but are owned by another account-across regions-are surfaced as shadow-resource candidates.
Risk
Preclaimed buckets matching your account's patterns let outsiders intercept service artifacts, causing:
- Loss of confidentiality (templates, data exfiltration)
- Compromised integrity (script/config injection RCE, privilege escalation)
- Reduced availability (creation failures or redirected writes)
Run this check with Prowler CLI
prowler aws --checks s3_bucket_shadow_resource_vulnerability
Recommendation
Apply defense in depth:
- Preprovision and own required service buckets in all current and planned regions
- Enforce least privilege so services write only to approved bucket names/ARNs
- Use non-guessable names where you control naming
- Monitor for look-alike buckets and separate duties for bucket creation vs. use
Remediation
Native IaC
Terraform
Other
- In the Prowler finding, copy the exact bucket name flagged (e.g., aws-glue-assets-<ACCOUNT_ID>-<REGION>).
- Open the AWS S3 console and click Create bucket.
- Paste the exact bucket name and select the region that matches the name.
- Click Create bucket.
- Repeat for each flagged name/region so all predictable service buckets are owned by your account.
Source Code
Resource Type
AwsS3Bucket