{"id":13542346,"url":"https://github.com/nccgroup/s3_objects_check","last_synced_at":"2025-04-26T04:31:07.240Z","repository":{"id":43654779,"uuid":"297266573","full_name":"nccgroup/s3_objects_check","owner":"nccgroup","description":"Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files.","archived":false,"fork":false,"pushed_at":"2022-03-04T18:02:44.000Z","size":13,"stargazers_count":76,"open_issues_count":2,"forks_count":16,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-04-04T07:51:09.939Z","etag":null,"topics":["aws","s3","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nccgroup.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-09-21T07:48:30.000Z","updated_at":"2025-02-02T05:06:16.000Z","dependencies_parsed_at":"2022-08-22T17:50:52.768Z","dependency_job_id":null,"html_url":"https://github.com/nccgroup/s3_objects_check","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fs3_objects_check","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fs3_objects_check/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fs3_objects_check/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fs3_objects_check/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nccgroup","download_url":"https://codeload.github.com/nccgroup/s3_objects_check/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250931004,"owners_count":21509796,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","s3","security"],"created_at":"2024-08-01T10:01:05.216Z","updated_at":"2025-04-26T04:31:07.009Z","avatar_url":"https://github.com/nccgroup.png","language":"Python","readme":"# S3 Objects Check\n\n## Description\n\nWhitebox evaluation of effective S3 object permissions, in order to identify publicly accessible objects.\n\nAllows identifying publicly accessible objects, as well as objects accessible for `AuthenticatedUsers` (by using a secondary profile). \nA number of tools exist which check permissions on buckets, but due to the complexity of IAM resource policies and ACL combinations, the effective permissions on specific objects is often hard to assess.\nThe tool runs fast as it uses [asyncio](https://docs.python.org/3/library/asyncio.html) and [aiobotocore](https://github.com/aio-libs/aiobotocore).\n\n## Setup\n\n### Permissions\n\nThe tool leverages two [named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html):\n- `WHITEBOX_PROFILE` - this profile should have read access to the S3 service. It will be used to list buckets and objects, which the tool will then attempt to access via **unauthenticated** requests. It's not used to access the objects, only to list them.\n- `BLACKBOX_PROFILE` - in addition to the unauthenticated requests, the tool will use this profile to identify objects accessible to the \"[Authenticated Users group](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#specifying-grantee-predefined-groups)\" (`AuthenticatedUsers`). This profile should **not** have access to the S3 buckets/objects, otherwise it will raise false positives.\n\n### Dependencies\n\nSetup a virtual environment and install dependencies:\n\n```shell script\n$ virtualenv -p python3 venv\n$ source venv/bin/activate\n$ pip -r requirements.txt\n```\n\n## Usage\n\nOptions:\n\n```shell script\n$ python s3-objects-check.py -h \n\nusage: s3-objects-check.py [-h] -p WHITEBOX_PROFILE -e BLACKBOX_PROFILE [-d]\n\nWhitebox evaluation of effective S3 object permissions, to identify publicly\naccessible files.\n\noptional arguments:\n -h, --help show this help message and exit\n -p WHITEBOX_PROFILE, --profile WHITEBOX_PROFILE\n The profile with access to the desired AWS account and\n buckets\n -e BLACKBOX_PROFILE, --profile-external BLACKBOX_PROFILE\n An \"external\" profile to test for 'AuthenticatedUsers'\n permissions. This principal should not have\n permissions to read bucket objects.\n -d, --debug Verbose output. Will also create a log file\n```\n\nRun the tool:\n\n```shell script\n\n$ python s3-objects-check.py -p whitebox-profile -e blackbox-profile \n\n2020-11-24 11:19:56 host object-check[371] INFO Starting\n2020-11-24 11:20:08 host object-check[371] WARNING Found https://\u003cbucket\u003e.s3.us-east-1.amazonaws.com/\u003cobject\u003e allowing \"AllUsers\"\n2020-11-24 11:20:09 host object-check[371] WARNING Found https://\u003cbucket\u003e.s3.eu-west-2.amazonaws.com/\u003cobject\u003e allowing \"AuthenticatedUsers\"\n2020-11-24 11:21:34 host object-check[371] INFO Done\n```","funding_links":[],"categories":["Miscellaneous","Projects","Python (1887)","Python"],"sub_categories":["Buckets","Automated Security Assessment"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Fs3_objects_check","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnccgroup%2Fs3_objects_check","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Fs3_objects_check/lists"}