In May 2025, Fog Security discovered vulnerabilities in AWS Trusted Advisor's S3 security checks that allowed them to bypass detection, exposing public S3 buckets without triggering alerts. They identified three specific scenarios where Trusted Advisor would fail to report public bucket permissions accurately. This oversight left potentially sensitive data exposed to unauthorized access and exfiltration. Trusted Advisor, while a complimentary service for all AWS customers, incorrectly categorized these buckets as secure, misreporting their status and failing to evaluate bucket policies appropriately. Fog Security initiated communication with AWS about these issues on May 2, 2025, and AWS confirmed the findings and committed to fixing the problem. However, the first fix was incomplete, only changing the status of findings to warn but not addressing the inaccuracies in Access Control List (ACL) reporting. After retesting, Fog Security alerted AWS to the ongoing issues, which led to a second fix deployed by the end of June. Despite these efforts, AWS did not communicate the second fix to customers, leaving many unaware of the potential risks. Fog Security criticized AWS for their lack of transparency in communications regarding the severity of these findings. Their emails failed to mention that Trusted Advisor inaccurately reported public buckets and did not clarify the implications of the ACL status. The communication suggested that ignored buckets would not affect overall check summaries, yet they were still factored in, leading to further confusion. The flaws in Trusted Advisor's reporting could have serious consequences for organizations relying on its assessments to secure their data.