On-Prem

This article is more than 1 year old

Good news: Unsecured Amazon Web Services S3 bucket discovery just got easier

Oh, that's not good news is it?

Tue 5 Dec 2017 // 05:01 UTC

If you thought the business of discovering unsecured Amazon Web Services S3 buckets was for the pros, think again: like all things, the process can be automated, and the code to automate it posted to GitHub.

It's not a new discipline: quickly Googling GitHub for S3 bucket enumeration turns up more than 1,000 results. However, these latest projects use data made public in certificate transparency logs, instead of lists of interesting words common in previous approaches.

Over the weekend, one project in particular came to this author's attention: Bucket Stream, which scans certificate transparency logs with a simple bit of Python.

“This tool simply listens to various certificate transparency logs (via Certstream) and attempts to find public S3 buckets from permutations of the certificates domain name,” author Paul Price (@darkp0rt on Twitter) wrote.

Price added a few useful tips for anybody using S3: randomise bucket names so they don't identify your company; set permissions and keep an eye on them; use two buckets to separate private and public data; audit who can access the data (for example, suppliers), and use Amazon Macie to classify and secure sensitive data.

Fast and furious

A second project, Slurp, builds on the Certstream idea, but re-implements it in Go, which author “bbb31” says is faster and avoids Python dependencies.

It also adds a bit of UI goodness, like colour-coding to identify S3 buckets that are secured versus those that are public.

Those are just the newest of the enumeration projects, of course, but using certificate information to get bucket names is the new wrinkle.

For the older Bucketeers, for example, you need AWS credentials to run the script, not required by Bucket Stream or Slurp.

The much older AWSBucketDump from Jordan Potti needed a lot more work from the user, since as Potti described it, it's a “brute forcer” based on word-lists.

Of course, pros like UpGuard's Chris Vickery and Kromtech's researchers probably have their own toolkits, but the big thing to remember is: if you secure your AWS bucket, bad actors will have to find another way to steal your secrets. ®

Topics

Special Features

Vendor Voice

Resources

On-Prem

Good news: Unsecured Amazon Web Services S3 bucket discovery just got easier

Oh, that's not good news is it?

Fast and furious

More about

More about

Narrower topics

Broader topics

More about

More about

More about

Narrower topics

Broader topics

TIP US OFF

Other stories you might like

AWS must pay $525M to cloud storage patent holder, says jury

US-EAST-1 region is not the cloudy crock it's made out to be, claims AWS EC2 boss

Irish power crunch could be prompting AWS to ration compute resources

Reducing the cloud security overhead

Snowmobile, Amazon's truck-powered migration service, reaches the end of the road

UK govt office admits ability to negotiate billions in cloud spending curbed by vendor lock-in

AWS severs connection with several hundred staff

Amazon to lure upstarts with $500K in AWS AI credits each

US House approves FISA renewal – warrantless surveillance and all

GenAI will be bigger than the cloud or the internet, Amazon CEO hopes

Global taxi software vendor exposes details of nearly 300K across UK and Ireland

SharePoint logs are easily circumvented and Microsoft is dragging its heels

About Us

Our Websites

Your Privacy