S3 Bucket Enumeration

Cloud computing is a term used to describe the delivery of computing services over the
Internet. It offers a range of services, including storage, applications, and processing
power.

In cloud computing, a bucket refers to a logical container for storing objects. It is a term
used in Amazon Web Services (AWS) Simple Storage Service (S3) to refer to a storage
resource used to store and organize data objects.

S3 bucket is a cloud-based storage service provided by AWS, where users can store
and access any type of data. It is an object storage service that allows users to upload,
store, and retrieve any type of data, including files, images, videos, and documents. The
S3 bucket is highly scalable, secure, and durable, making it an ideal choice for
businesses of all sizes.

However, with the increasing use of cloud storage, there has been a rise in the number
of misconfigured S3 buckets that are publicly accessible.

This is where S3 bucket enumeration comes into play.

S3 bucket enumeration is the process of discovering the names of S3 buckets that are
publicly available. This process is usually carried out using various tools and
techniques, such as web crawlers and search engines.

The main objective of S3 bucket enumeration is to identify misconfigured S3 buckets

that are publicly accessible and to report them to the respective owners for
remediation.

Key features of Amazon S3 include:

1. Scalability: S3 can scale seamlessly to accommodate any amount of data. It can

store virtually unlimited objects, with each object ranging in size from a few bytes
to terabytes.

2. Durability and Availability: Amazon S3 is built to provide high durability and

availability for stored data. It automatically stores multiple copies of each object
across different facilities within an AWS Region to ensure data durability.
Additionally, it provides a Service Level Agreement (SLA) guaranteeing
99.999999999% (11 nines) durability.

3. Security and Access Control: S3 offers robust security features to protect your
data. You can configure access control policies using AWS Identity and Access
Management (IAM) to grant fine-grained permissions to users or applications.
Encryption options are available to secure data at rest and in transit, including
server-side encryption with AWS Key Management Service (KMS) or client-side
encryption.
4. Lifecycle Management: S3 enables you to define lifecycle policies to
automatically transition objects between storage classes based on their age or
other criteria. For example, you can automatically move infrequently accessed
data to a lower-cost storage class or archive data to Glacier for long-term
retention.

5. Versioning and Version Control: S3 allows you to enable versioning for your
buckets, which keeps multiple versions of an object over time. This helps you
track changes and recover from both unintended deletions and application
failures.

6. Data Transfer and Transfer Acceleration: S3 provides various options for

transferring data into and out of the service. Transfer Acceleration is a feature
that uses the AWS global network to optimize data transfers, making it faster and
more efficient.

7. Integration with AWS Services: S3 seamlessly integrates with other AWS

services, such as AWS Lambda, Amazon CloudFront, AWS Glue, Amazon Athena,
and more, enabling you to build scalable and efficient data processing pipelines
and applications.
Types of AWS Policies

In AWS (Amazon Web Services), there are several types of policies used to manage
access and permissions for various services.

Here are the most common types of policies and their differences:

1. IAM (Identity and Access Management) Policies: IAM policies are used to
manage permissions for AWS Identity and Access Management (IAM) users,
groups, and roles. These policies define what actions are allowed or denied on
AWS resources. IAM policies can be attached to IAM entities and are written in
JSON (JavaScript Object Notation) or AWS policy language.

2. Bucket Policies: Bucket policies are used in Amazon S3 (Simple Storage Service)
to manage access to S3 buckets and objects. These policies control permissions
for resources within a bucket. Bucket policies are written in JSON and define who
can access the bucket and what actions they can perform.

3. AWS Service Policies: AWS service policies are used to manage permissions for
specific AWS services. These policies are created and managed by the AWS
service itself and allow or deny actions for resources within that service. Service
policies are typically managed through the AWS Management Console or AWS
Command Line Interface (CLI).

4. AWS Organizations Policies: AWS Organization’s policies are used to manage

and control multiple AWS accounts within an organization. These policies help
enforce security, compliance, and governance across the organization's
accounts. AWS Organization’s policies are written in JSON and define rules and
permissions for member accounts.
5. Resource-Based Policies: Resource-based policies are attached directly to AWS
resources and define who can access the resource and what actions they can
perform. These policies are specific to individual AWS services and resources,
such as EC2 instances, SNS topics, or Lambda functions. Resource-based
policies are written in JSON and can be managed through the service-specific
interfaces.

6. Permission Boundaries: Permission boundaries are IAM policies that define the
maximum permissions an IAM entity (user or role) can have. These policies are
used to set limits on the permissions granted to a user or role, allowing fine-
grained control over their access and preventing excessive privileges.

7. Identity-based policies: Identity-based policies are JSON permissions policy

documents that control what actions an identity (users, groups of users, and
roles) can perform, on which resources, and under what conditions. Identity-
based policies can be further categorized:

• Managed policies – Standalone identity-based policies that you can attach to

multiple users, groups, and roles in your AWS account. There are two types of
managed policies:
o AWS managed policies – Managed policies that are created and managed
by AWS.
o Customer-managed policies – Managed policies that you create and
manage in your AWS account. Customer-managed policies provide more
precise control over your policies than AWS-managed policies.
• Inline policies – Policies that you add directly to a single user, group, or role. Inline
policies maintain a strict one-to-one relationship between a policy and an identity.
They are deleted when you delete the identity.
 8. Access control lists (ACLs): Access control lists (ACLs) are service policies that
allow you to control which principals in another account can access a resource.
ACLs cannot be used to control access for a principal within the same account.
ACLs are similar to resource-based policies, although they are the only policy type
that does not use the JSON policy document format. Amazon S3, AWS WAF, and
Amazon VPC are examples of services that support ACLs.

Each of these policy types serves a specific purpose and operates at different levels
within the AWS environment. IAM policies manage user and role permissions, bucket
policies control access to S3 buckets, service policies manage permissions for specific
AWS services, organizations policies enforce policies across multiple accounts,
resource-based policies control access to individual resources, and permission
boundaries set limits on entity permissions.

How do S3 Bucket Policies work??

S3 bucket policies in AWS (Amazon Web Services) are used to control access to S3
buckets at a fine-grained level.

A bucket policy is a JSON-based document that specifies the permissions for the
bucket and its contents. It allows you to define who can perform certain actions on the
bucket and its objects, and from which sources these actions are allowed.

To understand how S3 bucket policies work, let's go through an example scenario:

Let's say you have an S3 bucket named "example-bucket" and you want to allow public
read access to all objects within the bucket.

1. Create an S3 bucket: Firstly, you would create the S3 bucket named "example-
bucket" using the AWS Management Console, AWS CLI, or an SDK.
 2. Define the bucket policy: Next, you would define the bucket policy for "example-
bucket" by creating a JSON document. In this case, the bucket policy would look
like this:

"Version": "2012-10-17",

"Statement": [

"Sid": "PublicReadGetObject",

"Effect": "Allow",

"Principal": "",

"Action": [

"s3:GetObject"

],

"Resource": [

"arn:aws:s3:::example-bucket/"

Let's break down the elements of this bucket policy:

1. Version: Specifies the version of the policy language. In this case, it is set to
"2012-10-17", which is the current version.
2. Statement: Contains an array of statements that define the permissions. You can
have multiple statements within a bucket policy.
 3. Sid: The statement ID is an optional identifier for the statement. It helps you identify
and manage individual statements.
4. Effect: Specifies whether the statement allows or denies access. In this example, the
effect is set to "Allow".
5. Principal: Defines the AWS identity or user to which the policy applies. In this case,
it is set to "*", which means it applies to all users.
6. Action: Specifies the action that is allowed or denied. Here, "s3:GetObject" allows
the "GetObject" action, which enables reading objects from the bucket.
7. Resource: Specifies the Amazon Resource Name (ARN) of the bucket or objects to
which the policy applies. In this example, the ARN is set to "arn:aws:s3:::example-
bucket/*", which means it applies to all objects within the bucket.

Attach the bucket policy: After creating the bucket policy, you would attach it to the
"example-bucket". You can do this through the AWS Management Console, AWS CLI, or
an SDK. Once attached, the bucket policy takes effect immediately.

Verify the access: At this point, anyone with the appropriate URL can access the objects
in the bucket. For example, if there is an object named "example-object.txt" in the bucket,
it can be accessed using the URL: https://example-
bucket.s3.amazonaws.com/example-object.txt.

This example demonstrates how an S3 bucket policy can allow public read access to
objects within a bucket. However, it's important to note that granting public access
should be carefully evaluated to ensure that sensitive or confidential data is not exposed
unintentionally.

Types of storage services offered by AWS

AWS (Amazon Web Services) provides various storage options to cater to different
needs and use cases. Here are some of the main types of storage services offered by
AWS:
1. Amazon S3 (Simple Storage Service): Amazon S3 is an object storage service
that provides industry-leading scalability, durability, and security for storing and
retrieving any amount of data. It is commonly used for backup and restore, data
archiving, content distribution, and static website hosting.

2. Amazon EBS (Elastic Block Store): Amazon EBS provides block-level storage
volumes for EC2 instances. It offers persistent, high-performance storage that
can be attached to an EC2 instance and used as a primary storage device for
running applications or as a database storage solution.

3. Amazon EFS (Elastic File System): Amazon EFS is a scalable and fully managed
file storage service that provides shared file storage for EC2 instances. It allows
multiple instances to access the same file system simultaneously, making it
suitable for content management systems, web serving, and big data analytics
workloads.

4. Amazon Glacier: Amazon Glacier is a low-cost storage service designed for long-
term data archiving and backup. It offers durable and secure storage for
infrequently accessed data, with retrieval times ranging from minutes to hours.

5. Amazon FSx: Amazon FSx provides fully managed file systems that are optimized
for specific workloads. Currently, there are two types of file systems available:
Amazon FSx for Windows File Server (for Windows-based workloads) and
Amazon FSx for Lustre (for high-performance computing, machine learning, and
video processing).
 6. Amazon S3 Glacier: Amazon S3 Glacier is a storage class within Amazon S3
designed for archiving and long-term backup of data. It offers a low-cost, durable,
and secure storage solution with configurable retrieval options.

7. Amazon S3 Intelligent-Tiering: Amazon S3 Intelligent-Tiering is an S3 storage

class that automatically moves data between two access tiers based on its
access patterns. It optimizes costs by moving infrequently accessed data to a
lower-cost storage tier while keeping frequently accessed data in a more
accessible tier.

8. Amazon S3 One Zone-Infrequent Access: Amazon S3 One Zone-Infrequent

Access (S3 One Zone-IA) is a cost-effective storage class within Amazon S3 that
stores data in a single availability zone. It offers a lower-cost option for
infrequently accessed data but without the redundancy of multiple availability
zones.

9. Amazon S3 Glacier Deep Archive: Amazon S3 Glacier Deep Archive is the lowest-
cost storage class within Amazon S3. It is designed for long-term data archiving
where retrieval times of 12 hours or more are acceptable.

Methods to Find S3 Buckets in a target application:

There are multiple ways to find publicly accessible S3 buckets in a target application.
They are:
Method 1: By using Google Dorks

site: .s3.amazonaws.com "Company"

site: http://amazonaws.com inurl: " .s3.amazonaws.com/"

Method 2: Using Automated Tools (Github)
Slurp
Bucket Finder,
S3 Scanner,
Lazy S3,
S3 Bucket Finder,
Cloud-Enum

Method 3:

Right-click on any image of the target application and open the image in a new
tab. If the image of the URL looks like this:

http://xyz.s3.amazonaws.com/images/bI .gif,

It means that the target application is storing the data in the Amazon server and
the bucket name is “xyz”.

Method 4: Using Burp-Suite

Use Burp Suite's proxy to intercept and analyze application traffic.

Look for requests/responses containing references to S3 buckets.

Search for known S3 endpoints, such as ".s3.amazonaws.com," in the

intercepted traffic.

Method 5: Perform DNS Reconnaissance

Perform DNS reconnaissance to identify subdomains associated with the target

domain. Look for subdomains like "s3.targetdomain.com" or
"targetdomain.s3.amazonaws.com."
How to mitigate S3 Bucket Enumeration:

1. Limit Public Access: Ensure that S3 buckets are not publicly accessible by
default. Restrict access to only authenticated and authorized users or
applications.

2. Implement Proper Access Controls: Configure access control policies for S3

buckets to grant appropriate permissions to users, roles, or groups. Follow the
principle of least privilege, granting only the necessary permissions.

3. Regularly Audit Bucket Permissions: Periodically review and audit the access
permissions of your S3 buckets. Identify and revoke any excessive or
unnecessary access permissions.

4. Enable Logging and Monitoring: Enable access logging for S3 buckets and
integrate them with AWS CloudTrail. This helps you monitor and detect any
unauthorized access attempts or suspicious activities.

5. Monitor Publicly Accessible Buckets: Regularly scan your AWS environment for
any publicly accessible S3 buckets using automated tools or services. Identify
and rectify any unintended public access configurations.

6. Regularly Update and Patch: Keep your AWS infrastructure, including S3, up to
date with the latest patches and security updates. This helps protect against
known vulnerabilities and exploits.
REFERENCE

https://www.geeksforgeeks.org/s3-bucket-enumeration-and-exploitation/

https://hackernoon.com/untangling-iam-policy-s3-bucket-policy-and-s3-acl

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

https://binaryguy.tech/aws/s3/iam-policies-vs-s3-policies-vs-s3-bucket-acls/

https://cloudian.com/blog/s3-bucket-policies-a-practical-guide/

https://www.simplilearn.com/tutorials/aws-tutorial/aws-s3