GithubHelp home page GithubHelp logo

hartl3y94 / s3_objects_check Goto Github PK

View Code? Open in Web Editor NEW

This project forked from nccgroup/s3_objects_check

0.0 0.0 0.0 13 KB

Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files.

License: MIT License

Python 100.00%

s3_objects_check's Introduction

S3 Objects Check

Description

Whitebox evaluation of effective S3 object permissions, in order to identify publicly accessible objects.

Allows identifying publicly accessible objects, as well as objects accessible for AuthenticatedUsers (by using a secondary profile). A number of tools exist which check permissions on buckets, but due to the complexity of IAM resource policies and ACL combinations, the effective permissions on specific objects is often hard to assess. The tool runs fast as it uses asyncio and aiobotocore.

Setup

Permissions

The tool leverages two named profiles:

  • WHITEBOX_PROFILE - this profile should have read access to the S3 service. It will be used to list buckets and objects, which the tool will then attempt to access via unauthenticated requests. It's not used to access the objects, only to list them.
  • BLACKBOX_PROFILE - in addition to the unauthenticated requests, the tool will use this profile to identify objects accessible to the "Authenticated Users group" (AuthenticatedUsers). This profile should not have access to the S3 buckets/objects, otherwise it will raise false positives.

Dependencies

Setup a virtual environment and install dependencies:

$ virtualenv -p python3 venv
$ source venv/bin/activate
$ pip -r requirements.txt

Usage

Options:

$ python s3-objects-check.py -h                                                                                        

usage: s3-objects-check.py [-h] -p WHITEBOX_PROFILE -e BLACKBOX_PROFILE [-d]

Whitebox evaluation of effective S3 object permissions, to identify publicly
accessible files.

optional arguments:
  -h, --help            show this help message and exit
  -p WHITEBOX_PROFILE, --profile WHITEBOX_PROFILE
                        The profile with access to the desired AWS account and
                        buckets
  -e BLACKBOX_PROFILE, --profile-external BLACKBOX_PROFILE
                        An "external" profile to test for 'AuthenticatedUsers'
                        permissions. This principal should not have
                        permissions to read bucket objects.
  -d, --debug           Verbose output. Will also create a log file

Run the tool:

$ python s3-objects-check.py -p whitebox-profile -e blackbox-profile                                                                                        

2020-11-24 11:19:56 host object-check[371] INFO Starting
2020-11-24 11:20:08 host object-check[371] WARNING Found https://<bucket>.s3.us-east-1.amazonaws.com/<object> allowing "AllUsers"
2020-11-24 11:20:09 host object-check[371] WARNING Found https://<bucket>.s3.eu-west-2.amazonaws.com/<object> allowing "AuthenticatedUsers"
2020-11-24 11:21:34 host object-check[371] INFO Done

s3_objects_check's People

Contributors

x4v13r64 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.