AWS Pentesting: Identify the AWS Account ID from a Public S3 Bucket

This blog is the first in a series on AWS pentesting blogs, where I’ll use the Pwnlabs platform for hands-on labs to support continuous learning.

By simply knowing the public S3 bucket name, it is possible the get the AWS account ID of the target organization. Armed with the AWS account ID, you can then hunt for possible exposed EBS or RDS snapshots in the AWS management console.

Run the common network scans on the IP provided. You may use Masscan, Nmap or Naabu.

The scanners show that port 80 is running. Lets browse the web site.

Viewing the page source shows that site is using AWS S3 bucket which is named “mega-big-tech”

We can then use the s3-account-search tool to look for the AWS account ID of the organization who owns this bucket.

This tool creates policy that utilizes the S3:ResourceAccount Policy Condition Key to evaluate whether to grant a user an access to an S3 bucket based on the AWS account that the bucket belongs.

python3 -m pip install s3-account-search

Installing s3-account-search

s3-account-search

The arguments the tool accepts

We need a user with a role it can assume in order to use this tool. In a real world engagement, we can create our own user with a role that we can assume. For the purpose of this lab, Pwnlabs, provided us with a user and the role that we can assume is already configured.

arn:aws:iam::427648302155:role/LeakyBucket is the ARN of the role that can be assumed.

Pwnlabs’ provided user.

Check the provided user.

s3-account-search — profile rootaddict arn:aws:iam::427648302155:role/LeakyBucket mega-big-tech

This output shows the AWS account ID 107513503799. We can use this information to find public resources that might have been accidently exposed, such as public EBS and RDS snapshots, by the target organization.

Since public snapshots are accessible to all users within the same region where the snapshot was made, lets check the AWS region where the S3 bucket was created. If the S3 bucket was created in a particular region, it is likely that other resources will also be available there

To find the S3 bucket region, we can check the HTTP response.

In the response headers, we see that the header x-amz-bucket-region is set to us-east-1, Log into the console in your own personal AWS account and make sure that the same region is selected.

Select the EC2 service then Snapshots. Filter the Public snapshots with the recently uncovered AWS account number.

References:
https://pwnedlabs.io/
https://hackingthe.cloud/aws/enumeration/account_id_from_s3_bucket/