I previous post: S3 buckets audit: check bucket existence, public access level, etc - without having access to target AWS account I described and released tool to audit s3 buckets even without access to the AWS account these buckets belong to.
But what about if I have access to the bucket's account or I would like to audit all buckets in my AWS account?
These features have been addressed in the new release of the s3 audit tool:
https://github.com/IhorKravchuk/it-security/tree/master/scripts.aws
$python aws_test_bucket.py --profile prod-read --bucket bucket2test
$python aws_test_bucket.py --profile prod-read --file aws
$python aws_test_bucket.py --profile prod-read --file buckets.list
-P AWS_PROFILE, --profile=AWS_PROFILE
Please specify AWS CLI profile
-B BUCKET, --bucket=BUCKET
Please provide bucket name
-F FILE, --file=FILE Optional: file with buckets list to check or aws to check all buckets in your account
But what about if I have access to the bucket's account or I would like to audit all buckets in my AWS account?
These features have been addressed in the new release of the s3 audit tool:
https://github.com/IhorKravchuk/it-security/tree/master/scripts.aws
$python aws_test_bucket.py --profile prod-read --bucket bucket2test
$python aws_test_bucket.py --profile prod-read --file aws
$python aws_test_bucket.py --profile prod-read --file buckets.list
-P AWS_PROFILE, --profile=AWS_PROFILE
Please specify AWS CLI profile
-B BUCKET, --bucket=BUCKET
Please provide bucket name
-F FILE, --file=FILE Optional: file with buckets list to check or aws to check all buckets in your account
Note:
--profile=AWS_PROFILE - yours AWS access profile (from aws cli). This profile might or might not have access to the audited bucket (we need this just to become Authenticated User from AWS point of view ).
If AWS_PROFILE allows authorised access to the bucket being audited - tool will fetch bucket's ACLs, Policies and S3 Static Web setting and perform authorised audit.
If AWS_PROFILE does not allow authorised access - tool will work in pentester mode
You can specify:
- one bucket to check using --bucket option
- file with list of buckets(one bucket name per line) using --file option
- all buckets in your AWS account (accessible using AWS_PROFILE) using --file=aws option
Based on the your AWS profile limitations tool will provide you:
- indirect scan results (AWS_profile have no API access to the bucket being audited)
- validated scan results based on you s3 buckets settings like ACL, bucket policy and s3 website config. (AWS_profile have API access to the bucket being audited )
Enjoy and stay secured.
PS. Currently tool does not support bucket check for Frankfurt region (AWS Signature Version 4). Working on it.
Just admiring your work and wondering how you managed this blog so well. It’s so remarkable that I can't afford to not go through this valuable information whenever I surf the internet! Scum buckets
ReplyDeleteI really impressed after read this because of some quality work and informative thoughts . I just wanna say thanks for the writer and wish you all the best for coming!. Scumbuckets
ReplyDeleteThis is a good post. This post gives truly quality information. I’m definitely going to look into it. Really very useful tips are provided here. Thank you so much. Keep up the good works. Scum bucket
ReplyDelete