> For the complete documentation index, see [llms.txt](https://seg-fault.gitbook.io/researchs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://seg-fault.gitbook.io/researchs/aws-cloud-security/hacking-s3/s3-security.md). # S3 - Security Following are some interesting security scenarios :- ## Scenario I - My S3 is open Many times S3 bucket are open to world and allows un-authorized read and write access. This was the major reason for CapitalOne breach. In order to list objects in a S3 bucket named "test-bucket" simply either visit `https://test-bucket.s3.amazonaws.com` or perform the following API call. ``` aws s3 ls s3://test-bucket ``` ## Senario II - S3 Ransomware We share a research done by RhinoSecurity team which is cloud's equivalent for Ransomware in S3. S3 bucket with write access can be encrypted with a KMS key which belongs to attacker's account. In this case, the owner of bucket will not be able to decrypt the content since the encrypted key doesn't belong to his account. Once the bucket has been encrypted, attacker can leave ransom.txt as a ransom note and ransom the bucket. More details about this interesting research can be found [here](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/) ## Scenario III - Bucket Policy wide open Many times users make sure to not make bucket public but a misconfigured bucket policy makes a bucket public indirectly. For example consider the below bucket policy :- ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement2", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::securitylabs-articles/*" } ] } ``` This policy is a vulnerable S3 policy which indicates that Anyone on internet can download objects from my bucket `securitylabs-articles` . Here the vulnerable part is the Principal field which is `*` which indicates that anyone on internet can download objects. Assuming there is a object called `note.txt` then to download the object one has to just make the below curl request ``` curl https://securitylabs-articles.s3.amazonaws.com/note.txt ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://seg-fault.gitbook.io/researchs/aws-cloud-security/hacking-s3/s3-security.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.