Basic S3 Bucket Enumeration Cheet Sheet
Contents
1. List Buckets in the Authenticated Account#
aws s3 ls
2. Check if a Bucket Exists (No Auth)#
aws s3 ls s3://[bucket-name] --no-sign-request
3. List Contents of a Public or Accessible Bucket#
aws s3 ls s3://[bucket-name]/[optional-path] --no-sign-request
4. Download an Object#
aws s3 cp s3://[bucket-name]/[key] [local-file] --no-sign-request
5. Upload a File (Test Write Access)#
aws s3 cp test.txt s3://[bucket-name]/test.txt
Only works if write access is allowed.
6. Enumerate Bucket Permissions (Authenticated)#
a. Get bucket policy#
aws s3api get-bucket-policy --bucket [bucket-name]
b. Get bucket ACL (Access Control List)#
aws s3api get-bucket-acl --bucket [bucket-name]
c. Get Public Access Block settings#
aws s3api get-bucket-public-access-block --bucket [bucket-name]
d. Get CORS configuration (may hint at XSS vectors)#
aws s3api get-bucket-cors --bucket [bucket-name]
7. List All Buckets & Objects (If Compromised Creds)#
aws s3api list-buckets aws s3api list-objects --bucket [bucket-name] --output table