Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/nccgroup/s3_objects_check
Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files.
https://github.com/nccgroup/s3_objects_check
aws s3 security
Last synced: about 2 months ago
JSON representation
Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files.
- Host: GitHub
- URL: https://github.com/nccgroup/s3_objects_check
- Owner: nccgroup
- License: mit
- Created: 2020-09-21T07:48:30.000Z (almost 4 years ago)
- Default Branch: master
- Last Pushed: 2022-03-04T18:02:44.000Z (over 2 years ago)
- Last Synced: 2024-05-08T12:30:57.676Z (4 months ago)
- Topics: aws, s3, security
- Language: Python
- Homepage:
- Size: 12.7 KB
- Stars: 72
- Watchers: 12
- Forks: 14
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-bugbounty-tools - s3_objects_check - Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files. (Miscellaneous / Buckets)
- awesome-cloud-security - s3_objects_check
- awesome-hacking-lists - nccgroup/s3_objects_check - Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files. (Python)
README
# S3 Objects Check
## Description
Whitebox evaluation of effective S3 object permissions, in order to identify publicly accessible objects.
Allows identifying publicly accessible objects, as well as objects accessible for `AuthenticatedUsers` (by using a secondary profile).
A number of tools exist which check permissions on buckets, but due to the complexity of IAM resource policies and ACL combinations, the effective permissions on specific objects is often hard to assess.
The tool runs fast as it uses [asyncio](https://docs.python.org/3/library/asyncio.html) and [aiobotocore](https://github.com/aio-libs/aiobotocore).
## Setup
### Permissions
The tool leverages two [named profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html):
- `WHITEBOX_PROFILE` - this profile should have read access to the S3 service. It will be used to list buckets and objects, which the tool will then attempt to access via **unauthenticated** requests. It's not used to access the objects, only to list them.
- `BLACKBOX_PROFILE` - in addition to the unauthenticated requests, the tool will use this profile to identify objects accessible to the "[Authenticated Users group](https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#specifying-grantee-predefined-groups)" (`AuthenticatedUsers`). This profile should **not** have access to the S3 buckets/objects, otherwise it will raise false positives.
### Dependencies
Setup a virtual environment and install dependencies:
```shell script
$ virtualenv -p python3 venv
$ source venv/bin/activate
$ pip -r requirements.txt
```
## Usage
Options:
```shell script
$ python s3-objects-check.py -h
usage: s3-objects-check.py [-h] -p WHITEBOX_PROFILE -e BLACKBOX_PROFILE [-d]
Whitebox evaluation of effective S3 object permissions, to identify publicly
accessible files.
optional arguments:
-h, --help show this help message and exit
-p WHITEBOX_PROFILE, --profile WHITEBOX_PROFILE
The profile with access to the desired AWS account and
buckets
-e BLACKBOX_PROFILE, --profile-external BLACKBOX_PROFILE
An "external" profile to test for 'AuthenticatedUsers'
permissions. This principal should not have
permissions to read bucket objects.
-d, --debug Verbose output. Will also create a log file
```
Run the tool:
```shell script
$ python s3-objects-check.py -p whitebox-profile -e blackbox-profile
2020-11-24 11:19:56 host object-check[371] INFO Starting
2020-11-24 11:20:08 host object-check[371] WARNING Found https://.s3.us-east-1.amazonaws.com/ allowing "AllUsers"
2020-11-24 11:20:09 host object-check[371] WARNING Found https://.s3.eu-west-2.amazonaws.com/ allowing "AuthenticatedUsers"
2020-11-24 11:21:34 host object-check[371] INFO Done
```