AMA: Identify S3 Buckets Open to Cross-Account Attacks

Tony
Tony mod
edited February 8 in Security Operations

"We have been asked to identify any of our S3 buckets that are exploitable by the resource policy trusting the AWS service blindly and not checking for the source account as described in this article.

"I found buckets that trust CloudTrail, but haven’t been able to decipher the next part of the query to find them if they don’t have the conditional on it. I have had no luck in the serverless realm of this page.

"Is there anyone at J1 that can comment on this and provide some direction?" - Adam

Comments

  • Here is a query that looks for bucket policy permissions to the 3 named services without the conditions restricting it to the same account as the bucket itself.

    Find aws_s3_bucket as bucket
    that allows Service
    with name = ('serverlessrepo' or 'cloudtrail' or 'config')
    where
    allows.conditions = undefined or (
    allows.conditions !~= 'aws:SourceAccount' and
    allows.conditions !~= bucket.accountId
    )

    Thanks to Adam for prompting me to write this query. -- JupiterOne Team

    View the original article on the JupiterOne blog.