Penetration Testing AWS Storage


AWS Configuration

#Install AWS CLI
curl "" -o ""
sudo ./aws/install

aws configure --profile <PROFILE_NAME>


  • There are 2 ways to access a bucket:

    • Bucket:

    • Static Website: All S3 buckets, when configured for web hosting, are given an AWS domain you can use to browse to it without setting up your own DNS. (eg:

  • When hosting a site as an S3 bucket, the bucket name ( must match the domain name (

  • Two people cannot have buckets with the same name. The result of this is you could create a bucket named and Apple would never be able host their main site via S3 hosting.

  • Amazon provides information on managing access controls for buckets here. Furthermore, Amazon helps their users by publishing a best practices document on public access considerations around S3 buckets. The default configuration of an S3 bucket is private.

Common S3 Misconfigurations

  • Unauthenticated Bucket Access – As the name implies, an S3 bucket can be configured to allow anonymous users to list, read, and or write to a bucket.

  • Semi-public Bucket Access – An S3 bucket is configured to allow access to “authenticated users”. This unfortunately means anyone authenticated to AWS. A valid AWS access key and secret is required to test for this condition.

  • Improper ACL Permissions – The ACL of the bucket has it’s own permissions which are often found to be world readable. This does not necessarily imply a misconfiguration of the bucket itself, however it may reveal which users have what type of access.

Passive Recon

Identify Region

  • US Standard =

  • Ireland =

  • Northern California =

  • Singapore =

  • Tokyo =

dig <domain>
nslookup <domain>

nslookup <IP>
  • You could also use the GUI tool cyberduck to browse this bucket and it will figure out the region automatically.

Active Recon

Identify Bucket

  • Check with a combination of subdomains, domains, and top level domains to determine if your target has a bucket on S3.

  • For example, if we were to search for an S3 bucket belonging to, we might try bucket names, and

S3 Bucket URL given by Amazon :[bucket_name]/

Exploiting S3 Permissions

  • If the command returns a directory listing, you’ve successfully found a bucket with unfettered access permissions.

#Check for view access:
sudo aws s3 ls s3://$bucketname/ --no-sign-request --region $region  [ --recursive]

Last updated