In the jungle of AWS S3 Enumeration

I. The current Situation

According to Datadog’s article on the state of security in AWS:

bucket Organizations with at least 1 publicly readable S3 =36 %

36% of organizations with at least one Amazon S3 bucket have it configured to be publicly readable. This is a significant cybersecurity risk, as publicly accessible S3 buckets can expose sensitive data to unauthorized individuals, leading to potential data breaches, data theft, and a host of compliance issues.

We could model the attack from a high-level point of view as follows:

Classical S3 Attack Path Scenario
Classical S3 Attack Path Scenario

In this article, we will focus on the recognition techniques used by attackers in part 1 of the figure above.

II. Enumeration Techniques

II.1 Google Dorking to Locate Buckets

Google Dorking utilizes advanced search queries to find hidden information on the internet. When it comes to S3 buckets, specific dorks can reveal buckets left exposed by inadvertent configurations.

Example Commands:

Google Dorks For S3 Enumeration
Google Dorks For S3 Enumeration

First command result example:

First command result example
First command result example

Search results will list web pages or direct links to S3 buckets. Verify the legitimacy of each link, as some may be outdated or reference non-existent buckets. For actual buckets, proceed to check the permissions and contents, ideally reporting any misconfigurations to the bucket owner.

II.2 Burp Suite Exploration

Burp Suite is a powerful tool for web application security pentesting. It can be used for S3 bucket reconnaissance by monitoring HTTP requests that contain bucket information.

Configure your browser to use Burp Suite as its proxy, then browse the target application. Burp Suite will automatically capture the traffic. Analyze the sitemap generated by Burp for any S3 bucket links or headers.

Look for patterns such as:

  • URLs containing “”
  • Headers with “x-am-bucket”

For instance:

Burp s3 keyword search through the proxy history
Burp s3 keyword search through the proxy history

Also, the Burp plugin from the BApp Store can be really useful.

The traffic analysis capabilities of Burp Suite allow for detailed scrutiny of web applications and potential S3 bucket discovery inside indirect or sub calls.

II.3 GitHub Recon Tools

There’s a treasure trove of S3 reconnaissance tools on GitHub. These tools range in functionality from scanning bucket names to checking for public accessibility and dumping contents.

S3Scanner: Dumpster Diver: S3 Bucket Finder: AWSInventorySync:

Leveraging automated tools can vastly increase the efficiency and breadth of your reconnaissance. After running these tools, the next steps should involve assessing the identified buckets’ configurations, understanding the potential risks, and, if necessary, alerting the responsible parties.

II.4 Online Websites

Online resources can streamline the S3 bucket discovery process. Nuclei templates, specifically, are predefined patterns used to detect common vulnerabilities, including misconfigured S3 buckets.

For instance you can use:

Tools like and GrayHatWarfare are tailor-made to simplify the search process, pulling from pools of data that might take an individual researcher considerable time to amass.

What’s more, the existence of SaaS services accessible with just three clicks shows just how widespread this attack is these days.
Hackers have even developed automated programs for scanning and collecting objects publicly exposed in S3 buckets.

II.5 Regex Mastery

Mastering simple regex can be one of the most efficient ways to conduct S3 bucket reconnaissance. By chaining simple commands, you can create powerful searches.

Running Commands:
Here’s how to use regex with curl to extract S3 bucket URLs from JavaScript files:

Regex for searching S3 bucket URLs in JS Files
Regex for searching S3 bucket URLs in JS Files

And for using subfinder and httpx:

subfinder + httpx tools for finding S3 buckets
subfinder + httpx tools for finding S3 buckets

The command-line outputs will typically provide you with raw URLs or status codes. A 200 status code on an S3 bucket URL, for example, indicates that the bucket is accessible. Further exploration of these command-line techniques offer granular control over the reconnaissance process and can be customized for specific scenarios. The output from these commands must be carefully analyzed to distinguish between normal bucket usage and potential security risks.


Navigating the complexities of AWS S3 Enumeration is crucial for identifying and securing misconfigured S3 buckets, which are potential gateways to sensitive data exposure.

Identifying these vulnerabilities is only the first step. Action must be taken to mitigate these risks, ensuring data remains secure against potential breaches. This is where Resonance Security steps in.

Specializing in cloud security audits and penetration testing, we provide the expertise needed to protect and reinforce cloud environments against threats.

For companies looking to enhance their cloud security posture, we offer tailored pentests & audits designed to meet the unique challenges securing your cloud infrastructure. Learn more about how we can support your cloud security needs at Resonance Security.

In sum, the path to secure AWS S3 storage is multifaceted, demanding a proactive approach to security. With the right techniques and expert support, companies can navigate this landscape confidently, protecting their most valuable digital assets.

our certifications
OSCP certificationOSCE CertificationOSWE certificationCART CertificationAzure certifcationCyclone CertificationCARTP CertificationCRTP Certification

Let's Get Started.

Safeguard your applications, smart contracts and digital assets to stay ahead of potential threats.

Get started