- S3cret Scanner tool is designed to provide a complementary layer for the Amazon S3 Security Best Practices by proactively hunting secrets in public S3 buckets.
- S3cret Scanner can perform scheduled or on-demand scans to hunt after various types of secrets over the organization’s publicly accessible buckets.
- The team is also developing playbooks to automatically enrich alerts, trigger to the relevant user who performed the suspected action and initiate remediations.
Eilon Harel published a new open-source tool named S3cret Scanner on GitHub. The tool is designed to provide a complementary layer for the Amazon S3 Security Best Practices by proactively hunting secrets in public S3 buckets. The tool can be executed as a scheduled task or On-Demand.Â
Public buckets
Sometimes, organizations’ S3 buckets can publicly expose stored data, due to misconfiguration. It is a serious flaw that can cause data breaches, allowing attackers to gain access to employee or customer details, backups, and other data. In some cases, buckets can also reveal authentication keys, access tokens, and API keys, which are considered secrets. The tool performs the following actions:
- Filter the objects that were last modified 24 hours ago, using JMESPath.
- Iterate over the objects.
- Download the textual files.
- Scan for secrets.
- Create a meaningful alert on the results.
By default, AWS will disable public access for newly created buckets and objects. However, during my investigation, I noticed that many users assume that by not setting the bucket to “Public”, it automatically means that the objects are private, which is a common mistake. There are two permissions that lead to file exposure:
- Public, Everyone has access to one of the following permissions: list objects, write objects, read and write permissions.
- Objects can be public, The bucket is not public, but anyone with the appropriate permissions can grant public access to objects.
Eilon Harel said,
« Storage as a Service is being commonly used, but can be the entry point for many organizations, as it can easily expose sensitive information with a single configuration mistake.
Developing an automated scanner, as an additional layer of security, can aid organizations prevent the next breach. Our SecOps team is constantly brainstorming what could be done next to better secure our company, and automating these ideas. »