Code Room
On-callMediumoc-g371
Subject Data exfiltrationLevel Mid–Senior~35 minCommon in Storage & CDN interviewsIndustries Software development, Technology

Question

A researcher reports that an S3 bucket holding nightly **analytics exports** (CSV dumps that include hashed-but-reversible-where-weak PII and internal metrics) is **publicly listable and readable** — `s3:ListBucket` and `GetObject` granted to `*`. Access logs show steady anonymous GET traffic from varied IPs over the past ~9 days, downloading most objects. A recent IaC change to 'make the bucket accessible to the BI tool' added a broad bucket policy instead of a scoped one. No alarm fired because nothing was 'breached' — it was just open. How do you triage what's exposed, contain it, and prevent the class of mistake?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.