🛡️ Pentesting AWS S3 Buckets: Techniques, Tools, and Exploits

Amazon S3 (Simple Storage Service) is a widely used storage service on AWS and one of the most exploited attack surfaces due to frequent misconfigurations. In this blog post, we’ll explore how attackers find and exploit S3 vulnerabilities, how to test your own infrastructure, and what tools and techniques are used in real world scenarios.

📦 Understanding S3 Permissions and Policies

S3 buckets use two permission models:

Access Control Policies (ACPs): Simplified, often used via Web UI.
IAM Access Policies: JSON based, granular control over permissions.

🧱 Bucket vs Object Permissions

Bucket permissions act as a "master key" users need access to the bucket before they can interact with its contents.
Object permissions can then further restrict access at the file level.

🧰 CLI Access to S3 Buckets

To interact with buckets via the AWS CLI:

🔧 Setup

1sudo apt install awscli
2aws configure

Enter your Access Key ID and Secret Key (from your AWS Console).

📂 Listing Contents

1aws s3 ls s3://bucket
2aws s3 ls s3://bucket/new

📤 Uploading Files

1aws s3 cp abc.txt s3://bucket/new/abc.txt

🗑️ Deleting Files

1aws s3 rm s3://bucket/new/abc.txt

🔐 Access Control Lists (ACLs)

ACLs provide fine grained permissions

read – View objects and metadata
write – Upload and delete
read-acp – View ACLs
write-acp – Modify ACLs

Each grantee (user or group) can have up to 20 ACL rules per object.

Note: IAM users are not considered grantees.

📜 Bucket & IAM Policies

Policies define who can access what, using JSON:

🧾 Sample Bucket Policy

1{
2"Version": "2008-02-27",
3"Statement": [{
4  "Effect": "Allow",
5  "Principal": {
6    "AWS": "arn:aws:iam::Account-ID:user/username"
7  },
8  "Action": ["s3:GetBucketLocation", "s3:ListBucket", "s3:GetObject"],
9  "Resource": ["arn:aws:s3:::bucket"]
10}]
11}

Use bucket policies for broader control, and IAM policies when assigning access to specific users across multiple buckets.

🕵️ Enumerating and Dumping S3 Buckets with AWSBucketDump

🔍 Installing AWSBucketDump

1git clone https://github.com/jordanpotti/AWSBucketDump
2cd AWSBucketDump
3pip install -r requirements.txt

📝 Configure Wordlist

Add organization specific prefixes

1vim BucketNames.txt
2:%s/^/<prefix>-/g
3:wq

🧪 Run AWSBucketDump

1touch found.txt
2python AWSBucketDump.py -D -l BucketNames.txt -g interesting_Keywords.txt

This tool brute forces S3 bucket names and searches for sensitive files using a keyword list.

☠️ JavaScript Injection in S3 Buckets

If a web app loads JS from a publicly writeable S3 bucket, an attacker can replace legitimate files.

💣 Demo Attack

1// vulnscript.js
2alert("XSS");

Upload malicious script

1aws s3 cp vulnscript.js s3://bucket/vulnscript.js --acl public-read

When a user loads the site, the script runs as if it’s part of the application.

🧬 Backdooring with Unclaimed S3 Buckets

Sometimes, apps request files from non existent S3 buckets, especially when subdomains point to deleted buckets via CNAME.

📌 Exploit Steps:

Detect 404 pages with NoSuchBucket
Register the missing bucket in the same region
Upload malware to the new bucket
Victims visiting the site get served the attacker’s content

📂 Case Study: Persistent Access via Installer Hijack

If an app downloads files from an S3 bucket and executes them:

An attacker hijacking the bucket can upload .tgz or script files
These get executed on the user’s machine
Example: HackerOne Report #399166

🧠 Summary

S3 permission models and policy structures
Uploading/downloading via AWS CLI
Enumeration with AWSBucketDump
Real world exploitation examples like JS injection and backdooring

🔐 Defensive Best Practices

Block public write access unless explicitly required
Use S3 Block Public Access settings
Review all IAM and bucket policies for least privilege
Enable S3 Access Logging and monitor for suspicious uploads
Use AWS Config to enforce compliance rules (e.g., “no public buckets”)

← Previous: Privilege Escalation