A curated collection of tools, techniques, and resources for AWS S3 security research and exposed bucket discovery.
Enumeration • General Purpose • Techniques • Articles • Videos
Tools specifically designed for discovering and analyzing AWS S3 buckets
| Tool | Description |
|---|---|
| Grayhat Warfare | Free tool that lists open S3 buckets and helps search for interesting files |
| AWSBucketDump | Quickly enumerate AWS S3 buckets to look for loot |
| S3Scanner | Scan for open AWS S3 buckets and dump the contents |
| s3enum | Fast Amazon S3 bucket enumeration tool for pentesters |
| s3-buckets-finder | PHP tool to brute force Amazon S3 buckets (by gwen001) |
| s3-buckets-finder | PHP tool to brute force Amazon S3 buckets (by gold1029) |
| Sandcastle | Python script for AWS S3 bucket enumeration (formerly bucketCrawler) |
| mubrute | Uses response codes to determine bucket existence and list permissions |
| PyLazyS3 | Enumerate AWS S3 buckets using different permutations |
| RoboBucketeer | Robot Framework Library for S3 Buckets & Subdomain Enumeration |
| inSp3ctor | AWS S3 Bucket/Object Finder |
| bucketkicker | Quickly enumerate AWS S3 buckets and look for loot |
| s3recon | Amazon S3 bucket finder and crawler |
| s3finder | Search using wordlist or certificate transparency logs |
| kicks3 | S3 bucket finder from HTML/JS and misconfiguration testing tool |
| bucket_finder | DigiNinja's bucket_finder utility |
| Bucket_Finder | Leaky Buckets finder |
| haka_toni_bucket_finder | S3 Bucket finder utility |
| s3-open-bucket-finder | Open S3 Bucket discovery tool |
| s3scanner | Scan for open public S3 buckets |
| bucket-scraper | CLI for scraping, indexing and downloading S3 buckets |
| bucket-hunter | Amazon AWS Exposed Bucket Hunter |
| bucket-stream | Find S3 Buckets by watching certificate transparency logs |
| goGetBucket | Penetration testing tool to enumerate S3 Buckets by domain |
| bucket_finder | Trawl Amazon S3 buckets for interesting files |
Multi-purpose tools that include S3 bucket functionality alongside other cloud storage services
| Tool | Description |
|---|---|
| CloudScraper | Enumerate targets for cloud resources (S3, Azure Blobs, DO Spaces) |
| CloudStorageFinder | Find public data in cloud storage systems |
| exif-scraper | Extract EXIF data from S3 bucket photos |
| mlb-dfs-scrapers | Web scraping for dumping stats to S3 bucket CSV files |
Methods and approaches for S3 bucket reconnaissance
Use the enum_wayback Metasploit module to pull and parse URLs stored by Archive.org. Useful for finding unlinked and legacy pages during web assessments.
In-depth reading about S3 security and misconfigurations
- List of AWS S3 Leaks - Comprehensive list of documented S3 data exposures
- How to Search for Open Amazon S3 Buckets - GrayhatWarfare guide
- There's a Hole in 1,951 Amazon S3 Buckets - Rapid7 research
- Amazon S3 Bucket Public Access Considerations - Official AWS guidance
- Analysing Amazon's Buckets - DigiNinja analysis
- Unsecured Public Information in S3 Buckets - Rapid7 misconfiguration guide
- Exposed S3 Bucket CloudTrail Logs - Security implications of exposed logs
- Fantastic! Public S3 Buckets and How to Find Them - Auth0 blog
Visual learning resources for S3 security
| Title | Description |
|---|---|
| How do I find out which S3 buckets allow access from the Internet? | AWS guidance on identifying public buckets |
| Securing and Protecting Against Exposed S3 Buckets | Defensive strategies |
| Effective S3 Bucket Management | Prevention and mitigation techniques |
| The Bucket List: Experiences Operating S3 Honeypots | Honeypot research insights |
Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.
If you find this resource helpful, please consider giving it a star!