.png)
AMA: Identify S3 Buckets Open to Cross-Account Attacks
Tony
mod
"We have been asked to identify any of our S3 buckets that are exploitable by the resource policy trusting the AWS service blindly and not checking for the source account as described in this article.
"I found buckets that trust CloudTrail, but haven’t been able to decipher the next part of the query to find them if they don’t have the conditional on it. I have had no luck in the serverless realm of this page.
"Is there anyone at J1 that can comment on this and provide some direction?" - Adam
0
Comments
-
Here is a query that looks for bucket policy permissions to the 3 named services without the conditions restricting it to the same account as the bucket itself.
Find aws_s3_bucket as bucket
that allows Service
with name = ('serverlessrepo' or 'cloudtrail' or 'config')
where
allows.conditions = undefined or (
allows.conditions !~= 'aws:SourceAccount' and
allows.conditions !~= bucket.accountId
)Thanks to Adam for prompting me to write this query. -- JupiterOne Team
0
![[Deleted User]](https://w7.vanillicon.com/v2/7dff26a9d468db847108da180a72c800.svg)
This Month's Leaders
Categories
- 336 All Categories
- Featured Categories
- 7 About the AskJ1 Community
- 11 Product Announcements
- From Mission Control
- 1 Rapid Response
- 3 How J1 Uses J1
- Topics
- 131 Asset Management
- 56 Compliance & Reporting
- 65 Security Operations
- 40 Security Engineering
- 5 Open Source
- 18 News, Careers and More