# Hacking S3 ## S3 S3 is a cloud object storage service in AWS that allows users to save and upload files on a cloud storage. S3 bucket comprises of objects and can accomodate unlimited number of objects. There can be 2 types of S3 bucket:- * Public - There are no restrictions and they can be accessed by anyone on internet * Private - Only permitted users can access the bucket. Access to private bucket are governed by "Bucket Policy" of bucket. You can access Public S3 bucket by visiting `https://.s3.amazonaws.com` . ![](/files/D2C2W66nNpfTc8YIhhYy) ## S3 Permissions * `GetObject` : This permission indicates that user can download a predefined object from S3 bucket. * `PutObject` : This permission indicates that user can upload an object to S3 bucket. ## S3 Access Controls Access control in S3 can be done either via Bucket Policy or legacy ACL (Access Control List). Bucket policy takes priority over ACL for any bucket. #### Bucket Policy Bucket policy for a S3 bucket are applied at bucket level i.e they are applied at the whole bucket. These are recommended by AWS for access control over S3 bucket. Example bucket policy:- ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement3", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::584358494719:user/BucketRead" }, "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::securitylabs-article/flag.txt", "arn:aws:s3:::securitylabs-article/note.txt" ] } ] } ``` The following bucket policy has following properties:- * Effect : `Allow` here indicates that bucket policy indicates that, if access is granted, the user will be `ALLOWED` to perform the Action associated with the policy i.e GetObject. If Effect was `Deny` then it would mean that if access is granted, the user will be `DENIED` to perform the Action associated with the policy i.e GetObject. * Principal : Principal here indicates the source ARN associated with the policy. Here `arn:aws:iam::584358494719:user/BucketRead` indicates that user BucketRead is the one associated with this policy who is being given access. * Action here indicates what exactly is the permission given to the Principal on the Resource. Here `s3:GetObject` permission indicates that BucketRead user is allowed to perform GetObject operation on the bucket. * Resource here indicates the object in S3 bucket on which policy is applied. In this case `arn:aws:s3:::securitylabs-article/note.txt` and `arn:aws:s3:::securitylabs-article/flag.txt` indicates that user BucketRead will be given GetObject on note.txt and flag.txt files in bucket called `securitylabs-article`. #### ACL (Access Control List) Access Control List are the legacy way of having access control on bucket. ACL provide control over both bucket and its objects. ![](/files/68Xi8L4pmOJJnNmIrq5U) The above is the ACL on the `securitylabs-article` bucket. ① - This indicates Object ACL. Since both List and Write are selected then this indicates that Bucket owner can Read and Write the objects in the bucket. ② - This indicates bucket ACL which means that bucket owner can edit ACL of the bucket and read the ACL of the bucket as shown in the screenshot above. ③ - This indicates the List permission on all objects in the bucket. If this was enabled, then it would mean that Everyone i.e internet can list all objects in the bucket without authenticating. ④ - This indicates the Read permission for bucket ACL. If enabled, then it would mean that Everyone i.e internet can view the ACL of the bucket without authenticating. ## Object Versioning Versioning in S3 bucket allows users to keep multiple version of same object. In layman terms, this means you can upload multiple objects with same name without overwriting the original object. AWS would store all the uploaded objects as different versions of the original object. ![](/files/H4bAJ7FvSuD9ydsoZOKq) The above screenshot indicates 2 versions of same `note.txt` object. VersionID `sShYGYWi.sfoOVA1SfQoiy6HEXSf2RXw` is the recently uploaded object which became the default version while VersionID `f_9JJNeIsyYBjHTbU0eoPNZYd.CE8Y.K` is the original uploaded object. AWS has saved both the version as a way for us to download the original object as well as the recent object. This can be a sometimes interesting since we might be able to get something interesting in old versions :) ### Querying Version Objects from Internet To query a particular VersionID of object from a publicly accessible bucket, you just need to pass parameter called `versionId` with the GET request to query the old version object. If out bucket `securitylabs-articles` was publicly accessible, then one could download the previous old version of note.txt by knowing the versionId beforehand. ``` curl 'http:/securitylabs-articles.s3.amazonaws.com/note.txt?versionId=f_9JJNeIsyYBjHTbU0eoPNZYd.CE8Y.K' ``` ## Event Notification Event notification enables users to configure a action if a particular event takes place in the S3 bucket. ![](/files/4EcwZF4rSOstNu7scnfP) For instance, the above screenshot indicates that for any PUT event a Lambda function called `securitylabs-lambda` is triggered. This means that if any file is uploaded to S3 bucket, this would cause the lambda to be triggered. This helps to automate processing, parsing of objects and various other use cases upon their upload in S3 bucket. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://seg-fault.gitbook.io/researchs/aws-cloud-security/hacking-s3.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.