Enumerate AWS Public Resources

Public resources like EBS and RDS snapshots or SSM Documents can lead to data and credential leaks.

Dangers of Public Resources

Many AWS resources can become public whether intentionally or not and these resources may contain sensitive data and/or credentials that may lead to a compromised environment
There are legitimate use cases for exposing resources publicly (such as providing customers with easy access) but due diligence should be performed to ensure sensitive data and credentials are not contained in these resources

S3 Buckets

Since all S3 buckets have a unique URL, they can automatically be discovered
cloudenumworks by brute-forcing bucket names and informing if the bucket is real or not based on HTTP status codes. If a bucket is discovered, it attempts to list its contents s3:ListBucket

# python3 ./cloud_enum.py -k tylerexposedbucket234 --disable-gcp --disable-azure

[+] Checking for S3 buckets
  OPEN S3 BUCKET: http://tylerexposedbucket234.s3.amazonaws.com/
      FILES:
      ->http://tylerexposedbucket234.s3.amazonaws.com/tylerexposedbucket234
      ->http://tylerexposedbucket234.s3.amazonaws.com/dogs.txt
      ->http://tylerexposedbucket234.s3.amazonaws.com/secrets.txt
  Protected S3 Bucket: http://tyler.s3.amazonaws.com/
  Protected S3 Bucket: http://tyler1.s3.amazonaws.com/
  Protected S3 Bucket: http://tyler-1.s3.amazonaws.com/
  Protected S3 Bucket: http://tyler2.s3.amazonaws.com/

EBS Snapshots

EBS Snapshots are backups of EC2 instances

aws ec2 describe-snapshots --restorable-by-user-ids all

aws ec2 describe-snapshots --owner-ids 222222222222 --restorable-by-user-ids all

#!/bin/bash

# Description: Finds all public ebs snapshots in all regions for a given aws account

# account to check
account='111111111111'

# needed to correctly parse regions
IFS=$'\n'

echo "Checking all regions in AWS account $account"

# get all available aws regions
regions=$(aws ec2 describe-regions --region us-east-1 | jq -r '.Regions[].RegionName')

# iterate through regions
for region in $regions; do
    # check for public snapshots
    echo "Checking for Public EBS snapshots in region: $region"
    
    # check for snapshots in region
    aws ec2 describe-snapshots --owner-ids $account --restorable-by-user-ids all --region "$region" | jq -r '.Snapshots[]'
done

# reset IFS
unset IFS

RDS Snapshots

RDS Snapshots are backups of RDS Databases

aws rds describe-db-snapshots --include-public

export account='111111111111'

aws rds describe-db-snapshots --include-public | jq -r --arg aws_account "$account" '.DBSnapshots[] | select(.DBSnapshotIdentifier | contains($aws_account))'

aws rds describe-db-snapshots --snapshot-type Public

#!/bin/bash

# Description: Finds all public rds snapshots in all regions for a given aws account

# account to check
account='111111111111'

# needed to correctly parse regions
IFS=$'\n'

echo "Checking all regions in AWS account $account"

# get all available aws regions
regions=$(aws ec2 describe-regions --region us-east-1 | jq -r '.Regions[].RegionName')

# iterate through regions
for region in $regions; do
    # check for public snapshots
    echo "Checking for Public RDS snapshots in region: $region"
    
    # check for snapshots in region
    aws rds describe-db-snapshots --include-public --region $region | jq -r --arg aws_account "$account" '.DBSnapshots[] | select(.DBSnapshotIdentifier | contains($aws_account))'
done

# reset IFS
unset IFS

SSM Documents

SSM Documents allow for running commands and automation
These may contain sensitive information

#/bin/bash

# Variables
RED="\033[31m"
RESET="\033[0m"

my_ssm_docs=$(aws ssm list-documents | jq -r '.DocumentIdentifiers[] | select(.Owner | contains("111111111111")) | (.Name)')

for doc in $(echo $my_ssm_docs); do
    status=$(aws ssm describe-document-permission --name $doc --permission-type Share | jq -r '.AccountIds[]')

    if [ "$status" != "all" ]; then
        echo "The $doc is not public."
    else
        echo "${RED}The $doc is PUBLIC.${RESET}"
    fi
done

 aws ssm get-document --name <documentName> | jq -r '.Content'

PreviousEnumerate (Unauthenticated) IAM Users and Roles NextEnumerate Secrets in AWS

Last updated 3 months ago

Was this helpful?

Enumerate AWS Public Resources

Public resources like EBS and RDS snapshots or SSM Documents can lead to data and credential leaks.

Dangers of Public Resources

Many AWS resources can become public whether intentionally or not and these resources may contain sensitive data and/or credentials that may lead to a compromised environment
There are legitimate use cases for exposing resources publicly (such as providing customers with easy access) but due diligence should be performed to ensure sensitive data and credentials are not contained in these resources

S3 Buckets

Since all S3 buckets have a unique URL, they can automatically be discovered
cloudenumworks by brute-forcing bucket names and informing if the bucket is real or not based on HTTP status codes. If a bucket is discovered, it attempts to list its contents s3:ListBucket

# python3 ./cloud_enum.py -k tylerexposedbucket234 --disable-gcp --disable-azure

[+] Checking for S3 buckets
  OPEN S3 BUCKET: http://tylerexposedbucket234.s3.amazonaws.com/
      FILES:
      ->http://tylerexposedbucket234.s3.amazonaws.com/tylerexposedbucket234
      ->http://tylerexposedbucket234.s3.amazonaws.com/dogs.txt
      ->http://tylerexposedbucket234.s3.amazonaws.com/secrets.txt
  Protected S3 Bucket: http://tyler.s3.amazonaws.com/
  Protected S3 Bucket: http://tyler1.s3.amazonaws.com/
  Protected S3 Bucket: http://tyler-1.s3.amazonaws.com/
  Protected S3 Bucket: http://tyler2.s3.amazonaws.com/

EBS Snapshots

EBS Snapshots are backups of EC2 instances
dsnap is a useful tool for downloading snapshots for local inspection otherwise you can

aws ec2 describe-snapshots --restorable-by-user-ids all

aws ec2 describe-snapshots --owner-ids 222222222222 --restorable-by-user-ids all

#!/bin/bash

# Description: Finds all public ebs snapshots in all regions for a given aws account

# account to check
account='111111111111'

# needed to correctly parse regions
IFS=$'\n'

echo "Checking all regions in AWS account $account"

# get all available aws regions
regions=$(aws ec2 describe-regions --region us-east-1 | jq -r '.Regions[].RegionName')

# iterate through regions
for region in $regions; do
    # check for public snapshots
    echo "Checking for Public EBS snapshots in region: $region"
    
    # check for snapshots in region
    aws ec2 describe-snapshots --owner-ids $account --restorable-by-user-ids all --region "$region" | jq -r '.Snapshots[]'
done

# reset IFS
unset IFS

RDS Snapshots

RDS Snapshots are backups of RDS Databases

aws rds describe-db-snapshots --include-public

export account='111111111111'

aws rds describe-db-snapshots --include-public | jq -r --arg aws_account "$account" '.DBSnapshots[] | select(.DBSnapshotIdentifier | contains($aws_account))'

aws rds describe-db-snapshots --snapshot-type Public

#!/bin/bash

# Description: Finds all public rds snapshots in all regions for a given aws account

# account to check
account='111111111111'

# needed to correctly parse regions
IFS=$'\n'

echo "Checking all regions in AWS account $account"

# get all available aws regions
regions=$(aws ec2 describe-regions --region us-east-1 | jq -r '.Regions[].RegionName')

# iterate through regions
for region in $regions; do
    # check for public snapshots
    echo "Checking for Public RDS snapshots in region: $region"
    
    # check for snapshots in region
    aws rds describe-db-snapshots --include-public --region $region | jq -r --arg aws_account "$account" '.DBSnapshots[] | select(.DBSnapshotIdentifier | contains($aws_account))'
done

# reset IFS
unset IFS

SSM Documents

SSM Documents allow for running commands and automation
These may contain sensitive information

#/bin/bash

# Variables
RED="\033[31m"
RESET="\033[0m"

my_ssm_docs=$(aws ssm list-documents | jq -r '.DocumentIdentifiers[] | select(.Owner | contains("111111111111")) | (.Name)')

for doc in $(echo $my_ssm_docs); do
    status=$(aws ssm describe-document-permission --name $doc --permission-type Share | jq -r '.AccountIds[]')

    if [ "$status" != "all" ]; then
        echo "The $doc is not public."
    else
        echo "${RED}The $doc is PUBLIC.${RESET}"
    fi
done

 aws ssm get-document --name <documentName> | jq -r '.Content'

PreviousEnumerate (Unauthenticated) IAM Users and Roles NextEnumerate Secrets in AWS

Last updated 3 months ago

Was this helpful?