Amazon Simple Storage Service (Amazon S3)

Restricting Access to Amazon S3 Content by Using an Origin Access Identity
Penetration testing of Amazon S3
Use AWS Security Checks Burp extension
AWScli S3 commands
What’s in Amazon’s buckets?
A deep dive into AWS S3 access controls – taking full control over your assets (Detectify)
Test Cloud Storage (OWASP, WSTG-CONF-11)
AWS Pentesting (HackTricks)

See Pacu and Prowler.

Vulnerability description for reporting available in VulnDB (GitHub)

➡ BChecks available on GitHub.

S3 Bucket Names

Find public buckets

Testing

S3 Bucket Names

How to find unsecured S3 buckets

http://s3.amazonaws.com/[bucket_name]/

http://[bucket_name].s3.amazonaws.com/

Access the bucket URL in a browser.

Private bucket will respond with code “AccessDenied”.
Public bucket will list the first 1,000 objects that have been stored.
Inexistent bucket will respond with code “NoSuchBucket”.

Find public buckets

DijiNinja’s Bucket Finder. Download from GitHub.
CloudBrute
Gobuster

Best option is to use Gobuster in s3 mode.

Manually

http://s3.amazonaws.com/<bucketname>

Bucket Finder

Could use Cewl to generate a wordlist first.

git clone https://github.com/digininja/CloudStorageFinder.git

cd CloudStorageFinder
./bucket_finder.rb wl.txt

Burp extension: AWS Security Checks

Prerequisites

Download boto3

cd boto3
pip --proxy http://user:password@proxy.com:8080 install --trusted-host pypi.org --trusted-host files.pythonhosted.org boto3 --target C:\<path to jython>\jython\Lib

Testing

Unauthenticated Bucket Access – As the name implies, an S3 bucket can be configured to allow anonymous users to list, read, and or write to a bucket.
Semi-public Bucket Access – An S3 bucket is configured to allow access to “authenticated users”. This unfortunately means anyone authenticated to AWS. A valid AWS access key and secret is required to test for this condition.
Improper ACL Permissions – The ACL of the bucket has it’s own permissions which are often found to be world readable. This does not necessarily imply a misconfiguration of the bucket itself, however it may reveal which users have what type of access.

Installation & Setup of AWS Client (awscli)

apt install awscli
apt upgrade awscli

See Official Documentation.

# Configure the client
aws configure
AWS Access Key ID: PRESS ENTER
AWS Secret Access Key: PRESS ENTER
Default region name: PRESS ENTER
Default output format: PRESS ENTER

List bucket content

All S3 buckets have a DNS entry: [bucketname].s3.amazonaws.com (or [bucketname].s3-[region].amazonaws.com, to be confirmed). –no-sign-request will not ask for credentials, but you MUST PROVIDE A REGION.

# export http_proxy="http://127.0.0.1:3128"
aws --no-sign-request s3 ls s3://mybucket.s3-us-east-2.amazonaws.com
aws --no-sign-request --region=us-east-2 s3 ls s3://mybucket.s3.amazonaws.com

Try to write in bucket

touch test.txt
aws --no-sign-request s3 cp test.txt s3://<bucketname>/test.txt

Using Curl

curl -X PUT -d 'test' 'http://s3.amazonaws.com/<bucketname>/test.txt'

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>...</RequestId><HostId>...</HostId></Error>