S3Scanner
A tool to find open S3 buckets in AWS or other S3 cloud providers:
Usage
Usage: s3scanner [options]
| Option | Description |
|---|---|
-bucket | Name of bucket to check. |
-bucket-file | File of bucket names to check. |
-mq | Connect to RabbitMQ to get buckets. Requires config file key "mq". Default: "false" |
-db | Save results to a Postgres database. Requires config file key "db.uri". Default: "false" |
-json | Print logs to stdout in JSON format instead of human-readable. Default: "false" |
-enumerate | Enumerate bucket objects (can be time-consuming). Default: "false" |
-provider | Object storage provider: aws, custom, digitalocean, dreamhost, gcp, linode, scaleway. custom requires config file. Default: "aws" |
-threads | Number of threads to scan with. Default: 4 |
Configuration
If using flags that require config options, s3scanner will search for config.yml in:
- (current directory)
/etc/s3scanner/$HOME/.s3scanner/
# Required by -db
db:
uri: "postgresql://user:pass@db.host.name:5432/schema_name"
# Required by -mq
mq:
queue_name: "aws"
uri: "amqp://user:pass@localhost:5672"
# providers.custom required by `-provider custom`
# address_style - Addressing style used by endpoints.
# type: string
# values: "path" or "vhost"
# endpoint_format - Format of endpoint URLs. Should contain '$REGION' as placeholder for region name
# type: string
# insecure - Ignore SSL errors
# type: boolean
# regions must contain at least one option
providers:
custom:
address_style: "path"
endpoint_format: "https://$REGION.vultrobjects.com"
insecure: false
regions:
- "ewr1"When s3scanner parses the config file, it will take the endpoint_format and replace $REGION for all regions listed to create a list of endpoint URLs.