Discover AWS Public Resources

Public resources like EBS and RDS snapshots or SSM Documents can lead to data and credential leaks.

Dangers of Public Resources

Many AWS resources can become public whether intentionally or not and these resources may contain sensitive data and/or credentials that may lead to a compromised environment
There are legitimate use cases for exposing resources publicly (such as providing customers with easy access) but due diligence should be performed to ensure sensitive data and credentials are not contained in these resources

S3 Buckets

Since all S3 buckets have a unique URL, they can automatically be discovered
cloudenumworks by brute-forcing bucket names and informing if the bucket is real or not based on HTTP status codes. If a bucket is discovered, it attempts to list its contents s3:ListBucket

# python3 ./cloud_enum.py -k tylerexposedbucket234 --disable-gcp --disable-azure

[+] Checking for S3 buckets
  OPEN S3 BUCKET: http://tylerexposedbucket234.s3.amazonaws.com/
      FILES:
      ->http://tylerexposedbucket234.s3.amazonaws.com/tylerexposedbucket234
      ->http://tylerexposedbucket234.s3.amazonaws.com/dogs.txt
      ->http://tylerexposedbucket234.s3.amazonaws.com/secrets.txt
  Protected S3 Bucket: http://tyler.s3.amazonaws.com/
  Protected S3 Bucket: http://tyler1.s3.amazonaws.com/
  Protected S3 Bucket: http://tyler-1.s3.amazonaws.com/
  Protected S3 Bucket: http://tyler2.s3.amazonaws.com/

EBS Snapshots

EBS Snapshots are backups of EC2 instances
dsnapis a useful tool for downloading snapshots for local inspection otherwise you can create an EC2 in your AWS account with the snapshot

aws ec2 describe-snapshots --restorable-by-user-ids all

aws ec2 describe-snapshots --owner-ids 222222222222 --restorable-by-user-ids all

RDS Snapshots

RDS Snapshots are backups of RDS Databases

aws rds describe-db-snapshots --include-public

aws rds describe-db-snapshots --include-public | jq -r '.DBSnapshots[] | select(.DBSnapshotIdentifier | contains("111111111111"))'

aws rds describe-db-snapshots --snapshot-type Public

SSM Documents

SSM Documents allow for running commands and automation
These may contain sensitive information

#/bin/bash

# Variables
RED="\033[31m"
RESET="\033[0m"

my_ssm_docs=$(aws ssm list-documents | jq -r '.DocumentIdentifiers[] | select(.Owner | contains("111111111111")) | (.Name)')

for doc in $(echo $my_ssm_docs); do
    status=$(aws ssm describe-document-permission --name $doc --permission-type Share | jq -r '.AccountIds[]')

    if [ "$status" != "all" ]; then
        echo "The $doc is not public."
    else
        echo "${RED}The $doc is PUBLIC.${RESET}"
    fi
done

 aws ssm get-document --name <documentName> | jq -r '.Content'

PreviousDiscover AWS IAM Users NextGenerate AWS Console Session

Last updated 11 hours ago