Penetration Testing of AWS S3 Bucket
In this article we will explain penetration testing AWS S3 Bucket
Understanding AWS S3 Bucket
A bucket is a logical unit of storage in Amazon Web Services (AWS) object storage service, Simple Storage Solution S3. Buckets are used to store objects, which consist of data and metadata that describes the data.
Amazon S3 Bucket Penetration Testing Basics
Many buckets are now private, that doesn't mean they were always private. The s3.amazonaws.com site is regularly indexed by Google (unless the bucket itself includes a robots.txt) so Google dorks still apply. For example, the following Google query can identify Excel spreadsheets containing the word "password":
site: s3.amazonaws.com file type: xls password Also, the WayBackMachine is a great resource to identify previously open buckets. Using a modified version of @mubix's Metasploit module, we also quickly identified a few hundred buckets that are currently private that previously weren't.
All S3 buckets share a global naming scheme. Bucket enumeration is not avoidable.
All S3 buckets have a DNS entry: [bucketname].s3.amazonaws.com
It’s easiest to access a bucket over its HTTP interface (https://[bucketname].s3.amazonaws.com), or you can check the interface like https://s3-[region].amazonaws.com/[organization_name] or to use the more powerful AWS CLI:
pip3 install awscli, or you can do apt-get install awscli
Here we already install awscli, so its satisfied the requirements.
Now check configure the awscli by the following command:
By that command, it will ask to fill the following details:
- AWS Access Key ID:
- AWS Secret Access Key:
- Default region name:
- Default output format:
Now the setup of awscli is done.
To check the bucket is open or not you can type this command
aws s3 ls s3://[bucket_name]
Here we created a provensec s3 bucket so the command will look like.
aws s3 ls s3://provensec
S3 Common Vulnerabilities
If you’re new to AWS or S3, there are a few common vulnerabilities you should be aware of:
Unauthenticated Bucket Access – As the name implies, an S3 bucket can be configured to allow anonymous users to list, read, and or write to a bucket.
Semi-public Bucket Access – An S3 bucket is configured to allow access to “authenticated users”. This, unfortunately, means anyone authenticated to AWS. A valid AWS access key and secret is required to test for this condition.
Improper ACL Permissions – The ACL of the bucket has its permissions which are often found to be world readable. This does not necessarily imply a misconfiguration of the bucket itself. However, it may reveal which users have what type of access.
Access Control Lists (ACLs)
S3 access control lists can be applied at the bucket level as well as at the object level. They support the following set of permissions:
At the bucket level, this allows the grantee to list the objects in a bucket. At the object level, this allows the grantee to read the contents as well as the metadata of an object.
At the bucket level, this allows the grantee to read the bucket’s access control list. At the object level, this allows the grantee to read the object’s access control list.
At the bucket level, this allows the grantee to create, overwrite, and delete objects in a bucket.
At the bucket level, this allows the grantee to set an ACL for a bucket. At the object level, this allows the grantee to set an ACL for an object.
At the bucket level, this is equivalent to granting the “READ”, “WRITE”, “READ_ACP”, and “WRITE_ACP” permissions to a grantee. At the object level, this is equivalent to granting the “READ”, “READ_ACP”, and “WRITE_ACP” permissions to a grantee.
Here, we have one attack scenario which shows the vulnerability.
Here you can find public or open s3 bucket and check what they have in the bucket.
You can find one bucket like that:
Now we can upload a malicious file on s3 bucket.
Here we uploaded a file.
Here we can delete a file from the s3 bucket without any authentication.
Here the file is deleted.
A grantee can be an individual AWS user referenced by his canonical user ID or email address or one of the following predefined groups:
- The Authenticated Users Group Represents all AWS users and is referenced by the URI “http://acs.amazonaws.com/groups/global/AuthenticatedUsers“.
- The All Users Group Represents all users (including anonymous ones) and is referenced by the URI “http://acs.amazonaws.com/groups/global/AllUsers”.
- The Log Delivery Group Relevant only for access logging and is referenced by the URI “http://acs.amazonaws.com/groups/s3/LogDelivery”.
For more details: