S3 Buckets

What is an S3 Bucket?

  • An AWS S3 bucket is a simple yet powerful object storage service that allows you to store and retrieve any amount of data from anywhere on the web. It is designed to offer unlimited scalability, high availability, and durability, making it an ideal solution for businesses of any size. With AWS S3 bucket, you can store and access your data securely, and easily manage permissions to control who has access to your data. It is a cost-effective storage solution that offers a pay-as-you-go pricing model, making it an affordable option for businesses of any size.

URL Format

  • S3 buckets have to be globally unique because they have a URL e.g.,
    • https://[bucketName]
    • https://s3-[region][OrgName]

Lookup Region

  • nslookup and similar tools can identify the region an S3 bucket resides in
# nslookup https://[bucketName]
tyler@box:~$ nslookup
Non-authoritative answer: canonical name = canonical name =

Code Injection

  • If an S3 bucket hosting a static website permits the mv command, someone could maliciously replace the webpage with another

Domain Hijacking

  • S3 buckets can host static websites with a domain name by utilizing a DNS CNAME record that points the domain to the S3 bucket hosting the website
  • The S3 bucket needs to be named the same as the domain name
  • If the S3 bucket gets deleted but the DNS CNAME record continues to exist, anyone in the world can create an S3 bucket with the same domain name and now the traffic will be routed to the new bucket
  • If a bucket was deleted but the CNAME record still exists, a 404 Not Found error occurs and provides the name of the domain (i.e., the bucket name)
A deleted S3 bucket still tied to a domain returns a 404 error and name of the bucket

Finding Exposed Buckets

  • Since all S3 buckets have a unique URL, they can be automatically found
  • can be used for this, repo here.

How it Works

  • Pass the script a keyword i.e., this is part of the bucket name e.g., tyler
  • The keyword is mutated e.g., tyler234
  • A DNS lookup is done, this is possible because all AWS S3 buckets have a URL
  • If the DNS lookup is found, the script tries to list the bucket contents (ListBucket)
  • Of course, anyone can create a bucket named Facebook so it doesn't mean Facebook actually owns it
# python3 ./ -k tylerexposedbucket234 --disable-gcp --disable-azure
[+] Checking for S3 buckets
Protected S3 Bucket:
Protected S3 Bucket:
Protected S3 Bucket:
Protected S3 Bucket: