Penetration Testing AWS Storage
Reference:
AWS Configuration
Theory
There are 2 ways to access a bucket:
Bucket: http://bucketname.s3.amazonaws.com
Static Website: All S3 buckets, when configured for web hosting, are given an AWS domain you can use to browse to it without setting up your own DNS. (eg: s3-website-us-west-2.amazonaws.com)
When hosting a site as an S3 bucket, the bucket name (flaws.cloud) must match the domain name (flaws.cloud).
Two people cannot have buckets with the same name. The result of this is you could create a bucket named apple.com and Apple would never be able host their main site via S3 hosting.
Amazon provides information on managing access controls for buckets here. Furthermore, Amazon helps their users by publishing a best practices document on public access considerations around S3 buckets. The default configuration of an S3 bucket is private.
Common S3 Misconfigurations
Unauthenticated Bucket Access – As the name implies, an S3 bucket can be configured to allow anonymous users to list, read, and or write to a bucket.
Semi-public Bucket Access – An S3 bucket is configured to allow access to “authenticated users”. This unfortunately means anyone authenticated to AWS. A valid AWS access key and secret is required to test for this condition.
Improper ACL Permissions – The ACL of the bucket has it’s own permissions which are often found to be world readable. This does not necessarily imply a misconfiguration of the bucket itself, however it may reveal which users have what type of access.
Passive Recon
Identify Region
US Standard = http://s3.amazonaws.com
Ireland = http://s3-eu-west-1.amazonaws.com
Northern California = http://s3-us-west-1.amazonaws.com
Singapore = http://s3-ap-southeast-1.amazonaws.com
Tokyo = http://s3-ap-northeast-1.amazonaws.com
You could also use the GUI tool cyberduck to browse this bucket and it will figure out the region automatically.
Active Recon
Identify Bucket
Check with a combination of subdomains, domains, and top level domains to determine if your target has a bucket on S3.
For example, if we were to search for an S3 bucket belonging to www.rhinosecuritylabs.com, we might try bucket names rhinosecuritylabs.com, and www.rhinosecuritylabs.com.
S3 Bucket URL given by Amazon :
Exploiting S3 Permissions
If the command returns a directory listing, you’ve successfully found a bucket with unfettered access permissions.
Last updated