Enumerate AWS Public Resources
Public resources like EBS and RDS snapshots or SSM Documents can lead to data and credential leaks.
Dangers of Public Resources
Many AWS resources can become public whether intentionally or not and these resources may contain sensitive data and/or credentials that may lead to a compromised environment
There are legitimate use cases for exposing resources publicly (such as providing customers with easy access) but due diligence should be performed to ensure sensitive data and credentials are not contained in these resources
S3 Buckets
Since all S3 buckets have a unique URL, they can automatically be discovered
cloudenumworks by brute-forcing bucket names and informing if the bucket is real or not based on HTTP status codes. If a bucket is discovered, it attempts to list its contents
s3:ListBucket
# python3 ./cloud_enum.py -k tylerexposedbucket234 --disable-gcp --disable-azure
[+] Checking for S3 buckets
OPEN S3 BUCKET: http://tylerexposedbucket234.s3.amazonaws.com/
FILES:
->http://tylerexposedbucket234.s3.amazonaws.com/tylerexposedbucket234
->http://tylerexposedbucket234.s3.amazonaws.com/dogs.txt
->http://tylerexposedbucket234.s3.amazonaws.com/secrets.txt
Protected S3 Bucket: http://tyler.s3.amazonaws.com/
Protected S3 Bucket: http://tyler1.s3.amazonaws.com/
Protected S3 Bucket: http://tyler-1.s3.amazonaws.com/
Protected S3 Bucket: http://tyler2.s3.amazonaws.com/EBS Snapshots
EBS Snapshots are backups of EC2 instances
dsnap is a useful tool for downloading snapshots for local inspection otherwise you can create an EC2 in your AWS account with the snapshot
aws ec2 describe-snapshots --restorable-by-user-ids all#!/bin/bash
# Description: Finds all public ebs snapshots in all regions for a given aws account
# account to check
account='111111111111'
# needed to correctly parse regions
IFS=$'\n'
echo "Checking all regions in AWS account $account"
# get all available aws regions
regions=$(aws ec2 describe-regions --region us-east-1 | jq -r '.Regions[].RegionName')
# iterate through regions
for region in $regions; do
# check for public snapshots
echo "Checking for Public EBS snapshots in region: $region"
# check for snapshots in region
aws ec2 describe-snapshots --owner-ids $account --restorable-by-user-ids all --region "$region" | jq -r '.Snapshots[]'
done
# reset IFS
unset IFSRDS Snapshots
RDS Snapshots are backups of RDS Databases
aws rds describe-db-snapshots --include-public#!/bin/bash
# Description: Finds all public rds snapshots in all regions for a given aws account
# account to check
account='111111111111'
# needed to correctly parse regions
IFS=$'\n'
echo "Checking all regions in AWS account $account"
# get all available aws regions
regions=$(aws ec2 describe-regions --region us-east-1 | jq -r '.Regions[].RegionName')
# iterate through regions
for region in $regions; do
# check for public snapshots
echo "Checking for Public RDS snapshots in region: $region"
# check for snapshots in region
aws rds describe-db-snapshots --include-public --region $region | jq -r --arg aws_account "$account" '.DBSnapshots[] | select(.DBSnapshotIdentifier | contains($aws_account))'
done
# reset IFS
unset IFSSSM Documents
SSM Documents allow for running commands and automation
These may contain sensitive information
#/bin/bash
# Variables
RED="\033[31m"
RESET="\033[0m"
my_ssm_docs=$(aws ssm list-documents | jq -r '.DocumentIdentifiers[] | select(.Owner | contains("111111111111")) | (.Name)')
for doc in $(echo $my_ssm_docs); do
status=$(aws ssm describe-document-permission --name $doc --permission-type Share | jq -r '.AccountIds[]')
if [ "$status" != "all" ]; then
echo "The $doc is not public."
else
echo "${RED}The $doc is PUBLIC.${RESET}"
fi
doneLast updated
Was this helpful?