S3

When you’re reviewing S3 security, here are things you should always check:

• Buckets with excessive access (public read, public write, or accessible by low-privileged identities)

• Bucket policies that allow broad or unintended access (for example "Principal": "*", cross-account access, or weak/misconfigured conditions)

• Permissions that use wildcards such as "Action": "s3:*" or unrestricted bucket/object ARNs (arn:aws:s3:::bucket/*)

• Buckets with write access that allow object upload, overwrite, or deletion (PutObject, DeleteObject)

• AWS services or Lambda functions that read from or write to S3 buckets you can control (S3 as input/output for execution)

• S3 buckets used as deployment sources (Lambda code, CloudFormation templates, CI/CD artifacts)

• Buckets containing sensitive data (logs, backups, Terraform state files, database dumps, .env files)

• Exposed secrets stored in S3 (API keys, credentials, tokens, certificates)

• Bucket versioning enabled (old object versions may still contain secrets)

• Bucket error pages or static website hosting indicating S3 presence (inspect source code and references)

• References to S3 buckets in application source code (hardcoded bucket names often lead to data discovery or abuse)

• Buckets without proper Public Access Block configuration

• Cross-account S3 access that may allow lateral movement between AWS accounts

# 1. List Buckets in the Authenticated Account
aws s3 ls

# 2. Check if a Bucket Exists (Unauthenticated / Public Test)
aws s3 ls s3://[bucket-name] --no-sign-request

# 3. List Contents of a Public or Accessible Bucket
aws s3 ls s3://[bucket-name]/[optional-path] --no-sign-request

# 4. Download an Object from a Public Bucket
aws s3 cp s3://[bucket-name]/[object-key] [local-file] --no-sign-request

# 5. Upload a File (Test Write Access - Authenticated)
echo "test" > test.txt
aws s3 cp test.txt s3://[bucket-name]/test.txt

# 6. Enumerate Bucket Permissions (Authenticated)

# 6a. Get Bucket Policy (Who can access the bucket)
aws s3api get-bucket-policy --bucket [bucket-name]

# 6b. Get Bucket ACL (Legacy permissions, still relevant)
aws s3api get-bucket-acl --bucket [bucket-name]

# 6c. Get Public Access Block Configuration
aws s3api get-bucket-public-access-block --bucket [bucket-name]

# 6d. Get CORS Configuration (May hint at web abuse / XSS)
aws s3api get-bucket-cors --bucket [bucket-name]

# 7. List Objects in a Bucket (Authenticated)
aws s3api list-objects --bucket [bucket-name]

# 8. Recursively List All Objects (High value for recon)
aws s3 ls s3://[bucket-name] --recursive

# 9. Download Entire Bucket (If Read Access is Allowed)
aws s3 sync s3://[bucket-name] ./[local-folder]

# 10. Check Bucket Location (Region matters for exploits)
aws s3api get-bucket-location --bucket [bucket-name]

# 11. Check Bucket Versioning (Old secrets may exist)
aws s3api get-bucket-versioning --bucket [bucket-name]

# 12. List Object Versions (If versioning enabled)
aws s3api list-object-versions --bucket [bucket-name]

# 13. Look for Common Sensitive Files
# (terraform.tfstate, backups, logs, .env, credentials)
aws s3 ls s3://[bucket-name] --recursive | grep -Ei \
"tfstate|backup|dump|log|env|cred|secret|key|config"

# 14. Test Delete Permission (Dangerous - use carefully)
aws s3 rm s3://[bucket-name]/test.txt

# 15. Enumerate All Buckets via API (Same as aws s3 ls but raw)
aws s3api list-buckets