Hello,This is me!

Vaibhav Koli

Information Security Researcher Penetration Tester HTB Player Security Enthusiast CTF Player

Wednesday, April 1, 2020

Exploiting poorly configured amazon S3 bucket

Many of our customers run at least part of their infrastructure in public cloud environments, like Amazon Web Services (AWS), Google Cloud, or Microsoft Azure. And keeping in mind that there are a lot of advantages of utilizing the cloud, there are also unique security concerns that organizations must be aware of.
One of the biggest challenges we see with cloud security is that people are unpredictable and prone to, well, being human. So we often see security incidents happen that are simply errors made by well-intending employees. While they mean well, these errors can (and do) inadvertently put their organization at risk.
One of the most common errors that’s been popping up in the news and which we’ve started to see here at Expel is when users accidentally make Amazon S3 buckets public.
What’s Amazon S3, why do these breaches happen and how can you protect your own org from making this mistake? We’re laying out all the details for you below.

What is Amazon S3?

Amazon S3 (“S3” stands for “Simple Storage Service”) buckets are basically A Dropbox for IT and Tech teams. They can be used to store any amount of data like images, videos, websites, backups, new application builds, or really anything you want. You can even host a website using Amazon S3, and store all the elements on said website in a bucket.
Buckets are containers for objects. You can have one or more buckets. For each bucket, you can adjust the access permissions policies to it (who can create, delete, and list objects in the bucket), view access logs for it and its objects, and choose the geographical region where Amazon S3 will store the bucket and its contents.

Why do Amazon S3 buckets regularly end up open?

S3 buckets become public when any permissions are granted to the predefined groups “AuthenticatedUsers” or “AllUsers.” The “AuthenticatedUsers” group represents all AWS accounts, meaning anyone with an AWS account can access that S3 bucket. The “AllUsers” group consists of anyone in the world.
It’s easy to see how this can cause confusion especially if you’re new to the cloud. Developers and IT admins have grown up in an (on-premise) world where groups with “users” in the name are limited to only the employees in their organization. So when the guy in IT accidentally gives “AllUsers” access to the company directory and accidentally opens it to anyone with internet, it doesn’t mean he’s a dummy. In another way but then forgets to change the settings back. So, There are lots of ways that S3 buckets can become public.

How to find S3 buckets of a target application?

The S3 bucket name is not a secret, and there are many ways to figure it out. I will try to share all possible ways to find the bucket of the target application.

Method # 1:

There are many online tools are available on the internet to find S3 buckets of a website. Some of them are listed below.

  • Lazy S3
  • Bucket_finder
  • AWS Cred Scanner
  • Mass3
  • S3Scanner
  • S3BucketFinder

Mostly all tools are command-line tools. You can download them from GitHub.

Method # 2:

Look at the server details from the analyzer (Browser Extension) or via the response of any request for the target application. You can find whether the application is using Amazon S3 to store data or not.

Method # 3:

Right-click on the application and open “View page source”. Find the URL like

  • xyz.s3.amazonaws.com/
  • s3.amazonaws.com/xyz
  • xyz.s3.eu-west-1.amazonaws.com
  • s3.eu-west-1.amazonaws.com/xyz

Note: XYZ represents the bucket name and EU-west-1 is the region. The region can be varied.

Method # 4:

Use the BURP Suite and spider the target web application. BURP Spider plugin is one of my favorite plugins it 100% extracts the Amazon bucket of the target application.
These are some basic techniques to find the application using Amazon S3 or not.

How to exploit misconfigured Amazon buckets with AWS CLI?

To check the permissions of the bucket we need to download and install the “AwsCli” tool from the Amazon web service’s website. https://s3.amazonaws.com/aws-cli/AWSCLI64PY3.msi 
After a successful installation, we need to configure it with our AWS keys.

How to list the objects of a misconfigured Amazon S3 Bucket?

To Listing all objects and folders in a bucket enter the following command.
aws s3 ls s3://bucket-name

How to upload an object to a misconfigured Amazon bucket? 

aws s3 cp file.txt s3://bucket-name
aws s3 mv file.txt s3://bucket-name

How to download an object from a misconfigured Amazon bucket?

aws s3 cp s3://bucket-name/file-name ./
aws s3 mv s3://bucket-name/file-name ./

How to delete an object from a misconfigured Amazon bucket?

aws s3 rm s3://bucket-name/file-name

What can happen?

An attacker can control assets on high-profile websites, meaning he could do anything from overwriting files, uploading vulnerable files, downloading Intellectual property, and can delete sensitive data.

Since so many companies store sensitive data in S3 buckets, any leak could be devastating. You might remember the Million Dollar Instagram Bug that allowed security researcher Wes Wineberg to access every single image and account on Instagram. This was only possible because he had gained access to Instagram’s S3 bucket, where the company stored everything from source code to images.

How to fix it?

There are quite a few recommended actions in order to protect your sensitive information in your S3 buckets, in order to minimize your risk of exposed data either from account breaches or losses.

Restricting Access
Keep track of who has been granted access to S3 buckets and objects, and the level of privileges that have been granted. Although access to S3 buckets is private by default, write access to everyone automatically grants delete access to S3 objects. Therefore, access to S3 buckets should be restricted to a small number of trusted individuals. Similarly, granting read access to everyone allows all users to read the data saved in S3 buckets. It is important to know that you can use access control lists for granular permissions and enable multi-factor authentication before an object is deleted.

Audits and Monitoring
Internal transfers and new hires are common in any team. Regular audits should be performed to ensure that rights have been modified according to the role of the individual. Additionally, logging should be enabled for S3 buckets so that actions performed can be referenced in case of an issue.

Data Backup
Initiate a backup of your critical S3 buckets so that data can be restored from the backup copy in case of unexpected modifications or breaches. N2WS offers a free version of CPM that helps with backup, recovery, and disaster recovery of Amazon EC2 instances.

Infosec specialist whose Certifications includes CISEH (Certified Information Security and Ethical Hacking), CPTE (Certified Penetration Testing Expert), ICSI:CNSS (Certified Network Security Specialist) and ISO 27001:2013 LA designations; and detailed knowledge of security tools, technologies and best practices. Three years of experience in the creation and deployment of solutions protecting networks, systems and information assets for diverse companies and organizations.

Vaibhav Koli
Hack The Box



Email *

Message *