AMA: Identify S3 Buckets Open to Cross-Account Attacks

Tony mod
edited February 2022 in Security Operations

"We have been asked to identify any of our S3 buckets that are exploitable by the resource policy trusting the AWS service blindly and not checking for the source account as described in this article.

"I found buckets that trust CloudTrail, but haven’t been able to decipher the next part of the query to find them if they don’t have the conditional on it. I have had no luck in the serverless realm of this page.

"Is there anyone at J1 that can comment on this and provide some direction?" - Adam


  • Here is a query that looks for bucket policy permissions to the 3 named services without the conditions restricting it to the same account as the bucket itself.

    Find aws_s3_bucket as bucket
    that allows Service
    with name = ('serverlessrepo' or 'cloudtrail' or 'config')
    allows.conditions = undefined or (
    allows.conditions !~= 'aws:SourceAccount' and
    allows.conditions !~= bucket.accountId

    Thanks to Adam for prompting me to write this query. -- JupiterOne Team

    View the original article on the JupiterOne blog. 

This Month's Leaders