Penetration Testing of AWS S3 Bucket

By : admin In: Articles, Blog April 9, 2018
AWS Penetration Testing

In this article we will explain penetration testing AWS S3 Bucket


Understanding AWS S3 Bucket

A bucket is a logical unit of storage in Amazon Web Services (AWS) object storage service, Simple Storage Solution S3. Buckets are used to store objects, which consist of data and metadata that describes the data.


Amazon S3 Bucket Penetration Testing Basics

Many buckets are now private, that doesn't mean they were always private. The s3.amazonaws.com site is regularly indexed by Google (unless the bucket itself includes a robots.txt) so Google dorks still apply. For example, the following Google query can identify Excel spreadsheets containing the word "password":


site: s3.amazonaws.com file type: xls password Also, the WayBackMachine is a great resource to identify previously open buckets. Using a modified version of @mubix's Metasploit module, we also quickly identified a few hundred buckets that are currently private that previously weren't.


All S3 buckets share a global naming scheme. Bucket enumeration is not avoidable.
All S3 buckets have a DNS entry: [bucketname].s3.amazonaws.com

It’s easiest to access a bucket over its HTTP interface (https://[bucketname].s3.amazonaws.com), or you can check the interface like https://s3-[region].amazonaws.com/[organization_name] or to use the more powerful AWS CLI: pip3 install awscli, or you can do apt-get install awscli
Here we already install awscli, so its satisfied the requirements.

to pen test install python pip library on aws

Now check configure the awscli by the following command:
aws configure
By that command, it will ask to fill the following details:

  • AWS Access Key ID:
  • AWS Secret Access Key:
  • Default region name:
  • Default output format:
AWS pen test 2

Now the setup of awscli is done.
To check the bucket is open or not you can type this command
aws s3 ls s3://[bucket_name]
Example:
Here we created a provensec s3 bucket so the command will look like. aws s3 ls s3://provensec

AWS pen test 2

S3 Common Vulnerabilities


If you’re new to AWS or S3, there are a few common vulnerabilities you should be aware of:
Unauthenticated Bucket Access – As the name implies, an S3 bucket can be configured to allow anonymous users to list, read, and or write to a bucket.

AWS pen test 4

Semi-public Bucket Access – An S3 bucket is configured to allow access to “authenticated users”. This, unfortunately, means anyone authenticated to AWS. A valid AWS access key and secret is required to test for this condition.


AWS pen test 5

Improper ACL Permissions – The ACL of the bucket has its permissions which are often found to be world readable. This does not necessarily imply a misconfiguration of the bucket itself. However, it may reveal which users have what type of access.

Access Control Lists (ACLs)


S3 access control lists can be applied at the bucket level as well as at the object level. They support the following set of permissions:

READ
At the bucket level, this allows the grantee to list the objects in a bucket. At the object level, this allows the grantee to read the contents as well as the metadata of an object.
READ_ACP
At the bucket level, this allows the grantee to read the bucket’s access control list. At the object level, this allows the grantee to read the object’s access control list.
WRITE
At the bucket level, this allows the grantee to create, overwrite, and delete objects in a bucket.

WRITE_ACP
At the bucket level, this allows the grantee to set an ACL for a bucket. At the object level, this allows the grantee to set an ACL for an object.

FULL_CONTROL
At the bucket level, this is equivalent to granting the “READ”, “WRITE”, “READ_ACP”, and “WRITE_ACP” permissions to a grantee. At the object level, this is equivalent to granting the “READ”, “READ_ACP”, and “WRITE_ACP” permissions to a grantee.

Here, we have one attack scenario which shows the vulnerability.
Here you can find public or open s3 bucket and check what they have in the bucket.

AWS pen test 6
You can find one bucket like that:

AWS pen test 7

Now we can upload a malicious file on s3 bucket.
Here we uploaded a file.

AWS pen test 8
AWS pen test 9

Here we can delete a file from the s3 bucket without any authentication.

AWS pen test 10

Here the file is deleted.

AWS pen test 11

A grantee can be an individual AWS user referenced by his canonical user ID or email address or one of the following predefined groups:

  • The Authenticated Users Group
  • Represents all AWS users and is referenced by the URI “http://acs.amazonaws.com/groups/global/AuthenticatedUsers“.
  • The All Users Group
  • Represents all users (including anonymous ones) and is referenced by the URI “http://acs.amazonaws.com/groups/global/AllUsers”.
  • The Log Delivery Group
  • Relevant only for access logging and is referenced by the URI “http://acs.amazonaws.com/groups/s3/LogDelivery”.


For more details:
https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-policies.html