News AI
September 9th, 2024

Hacking misconfigured AWS S3 buckets: A complete guide

Misconfigured AWS S3 buckets pose security risks. The guide details methods for testing permissions, emphasizes enabling versioning to prevent data loss, and recommends automated tools for efficient enumeration and testing.

Read original articleLink Icon
FrustrationSkepticismAppreciation
Hacking misconfigured AWS S3 buckets: A complete guide

AWS S3 buckets are widely used for storing both public and sensitive data, but misconfigurations can lead to significant security risks. This guide outlines methods for identifying and testing these misconfigurations, including checking list, read, download, and write permissions, as well as examining Access Control Lists (ACLs) and file type restrictions. Techniques for finding S3 buckets include analyzing HTTP responses, using search engine dorking, and bruteforcing common bucket names. The guide emphasizes the importance of testing permissions using AWS CLI commands to ensure that sensitive data is not exposed. It also highlights the necessity of enabling S3 versioning to prevent permanent data loss from accidental deletions or overwrites. Automated tools like S3enum, cloud_enum, and LazyS3 are recommended for efficient enumeration and testing of multiple S3 buckets. The article concludes by encouraging readers to practice their skills on vulnerable labs or participate in bug bounty programs to enhance their understanding of AWS S3 security.

- Misconfigured AWS S3 buckets can lead to data leaks and security vulnerabilities.

- Various methods exist for identifying and testing S3 bucket permissions.

- Enabling S3 versioning is crucial to prevent permanent data loss.

- Automated tools can streamline the process of enumerating and testing S3 buckets.

- Practicing on vulnerable labs or bug bounty programs can enhance security skills.

Related

Simple ways to find exposed sensitive information

Simple ways to find exposed sensitive information

Various methods to find exposed sensitive information are discussed, including search engine dorking, Github searches, and PublicWWW for hardcoded API keys. Risks of misconfigured AWS S3 buckets are highlighted, stressing data confidentiality.

Well, it's just an AWS Account ID

Well, it's just an AWS Account ID

AWS Account IDs are crucial for cloud security, aiding in resource sharing and reconnaissance. They facilitate IAM entity enumeration, service discovery, and security testing, highlighting AWS footprint insights for potential attacks. An upcoming course on securing AWS environments is recommended.

Using S3 as a Container Registry

Using S3 as a Container Registry

Adolfo Ochagavía discusses using Amazon S3 as a container registry, noting its speed advantages over ECR. S3's parallel layer uploads enhance performance, despite lacking standard registry features. The unconventional approach offers optimization potential.

Revealing the Inner Structure of AWS Session Tokens

Revealing the Inner Structure of AWS Session Tokens

A study by Tal Be'ery reverse-engineered AWS Session Tokens, revealing their structure and developing tools for analysis. This research aids security professionals in understanding AWS's authentication protocols to prevent attacks.

Critical vulnerabilities in 6 AWS services disclosed at Black Hat USA

Critical vulnerabilities in 6 AWS services disclosed at Black Hat USA

Critical vulnerabilities in six AWS services were disclosed, allowing account takeovers and data manipulation. Researchers highlighted a "Shadow Resources" attack exploiting predictable S3 bucket names. AWS resolved the issues after notification.

AI: What people are saying
The comments reflect a range of opinions on the complexity and security of AWS S3 bucket configurations.
  • Many users find the S3 interface and configuration options overly complex and confusing, especially for infrequent users.
  • There is a consensus that misconfigurations are common, raising concerns about security and data management.
  • Some commenters suggest that AWS could improve user experience by providing clearer visibility into bucket permissions and access.
  • Several users express skepticism about the perceived security of public cloud storage compared to on-premises solutions.
  • There are creative suggestions for handling misconfigured buckets, including intentionally creating decoy buckets to mislead potential attackers.
Link Icon 11 comments
By @iambateman - 8 months
S3 configuration is awful, full stop. It’s not just that the interface is a disaster and configuration options are full of jargon and access rules are written in JSON.

The problem is that for someone who only periodically uses S3, I’m lost. I’m not lost in other services…Cloudflare, Firebase, Mailgun, and dozens of others somehow manage to allow people to use their service without so much agony.

I’m almost positive my S3 bucket is misconfigured because of how absurdly complex it is.

If you disagree and have spent more than 200 hours working within S3 I submit that it’s because you’re just an expert. I shouldn’t need a certification to upload files and retrieve them securely.

By @travismcpeak - 8 months
This does a great job of highlighting why properly configuring infrastructure is hard: S3 buckets (one of the most simple cloud infra services) have 70 configuration options.

Imagine you're a junior dev and your manager says "just spin up an S3 bucket and drop the data there, and make sure your app can access it".

S3 does have some sensible defaults, but a lot of Terraform modules do not...imagine somebody who now has to decipher S3's basic properties, ACLs, IAM, etc.

By @OJFord - 8 months
This is just a list of 'how to do x with awscli [and if the bucket allows unauthenticated users to do x then you will get a result]'.

Unless I'm missing something there's nothing particularly.. interesting or thought out here? May as well read the docs for available s3/s3api operations - there's more!

By @amy-petrik-214 - 8 months
The article is a lengthy discussion of something simple. 1) use a proxy or VPN 2) write a bucket guesser in python (use your imagination) 3) run this https://github.com/sa7mon/S3Scanner Now you have list/read/write status info +/- existence per S3 scanner.

There, see? Didn't need a whole article.

By @arter4 - 8 months
The interesting thing is, most people wouldn't do the same things (say, chmod 777 all the things) on a public NAS.

If this assumption is true, it begs the question. Why do people act like public cloud storage is more secure than "private", on prem storage?

Do users expect safe defaults (as in, "default deny")?

Is it just a matter of attitude, where people think public cloud is more secure because it's not managed by (potentially short-staffed) corporate IT teams, even if it's not completely managed by the cloud provider?

Or is there something else?

By @encoderer - 8 months
In 2018 I added S3 bucket monitoring to my SaaS, Cronitor.io but we eventually retired it because AWS seems mostly to have solved this.

It’s hard in the console to make buckets public, it’s obvious when they are, and Amazon sends emails about public buckets just in case you’re not using the console.

By @hemloc_io - 8 months
Hah I've had some fun with this, and even submitted bug reports that were never looked at.

I have like the worlds largest collection of license plate photos now. :)

By @the_arun - 8 months
I wish AWS showed who has access to every S3 bucket created right at the S3 console. It shows permissions but doesn't show external view.
By @paulpauper - 8 months
Thinking about creating intentionally misconfigured buckets with encrypted files that look like they have valuable stuff so the hackers waste tons of resources decrypting them only to see they are worthless
By @happyraul - 8 months
I realize probably many (most?) people open this site on a mobile device, and the design is optimized for that. Still, does it bother anyone that on a desktop monitor, less than a third of the horizontal width is used for content?
By @msarrel - 8 months
Nice work!