S3 Bucket Misconfiguration

Introduction

AWS S3 (Simple Storage Service) buckets are a popular storage service used by software companies and organizations to store public as well as sensitive data. However, the implementation of this service is not always correctly done. A single missing access policy can often introduce security risks, data leaks, or other unintended consequences.

Testing for misconfigured list permissions in AWS S3

The most basic test we can perform on an AWS S3 bucket is testing the list permissions. Previously, AWS S3 buckets had list permissions enabled by default. But recently that changed and any newly created buckets have list permissions disabled by default. Developers and admins will now need to explicitly declare a policy to allow S3 listing.

We can however still test for list permissions on our target AWS S3 bucket by running the following command:

aws s3 ls s3://{BUCKET_NAME} --no-sign-request

Testing for misconfigured download permissions in AWS S3

To quickly check if we can download and read files, we can use the cp subcommand:

aws s3 cp s3://{BUCKET_NAME}/<file name> ./ --no-sign-request

Make sure to replace the filename and bucket name in the command above.

REFERENCES

• https://www.intigriti.com/researchers/blog/hacking-tools/hacking-misconfigured-aws-s3-buckets-a-complete-guide

• https://www.youtube.com/watch?v=0CvqGP1isCE&ab_channel=BePractical