AWS Pentesting Cheat Sheet (S3)
Reference
S3 Bucket Enumerating Cheat Sheet
1. List Buckets in the Authenticated Account
1
aws s3 ls
2. Check if a Bucket Exists (No Auth)
1
aws s3 ls s3://[bucket-name] --no-sign-request
3. List Contents of a Public or Accessible Bucket
1
aws s3 ls s3://[bucket-name]/[optional-path] --no-sign-request
4. Download an Object
1
aws s3 cp s3://[bucket-name]/[key] [local-file] --no-sign-request
5. Upload a File (Test Write Access)
Only works if write access is allowed.
1
aws s3 cp test.txt s3://[bucket-name]/test.txt
6. Enumerate Bucket Permissions (Authenticated)
a. Get bucket policy
1
aws s3api get-bucket-policy --bucket [bucket-name]
b. Get bucket ACL (Access Control List)
1
aws s3api get-bucket-acl --bucket [bucket-name]
c. Get Public Access Block settings
1
aws s3api get-bucket-public-access-block --bucket [bucket-name]
d. Get CORS configuration (may hint at XSS vectors)
1
aws s3api get-bucket-cors --bucket [bucket-name]
7. List All Buckets & Objects (If Compromised Creds)
1
2
aws s3api list-buckets
aws s3api list-objects --bucket [bucket-name] --output table
This post is licensed under
CC BY 4.0
by the author.