S3Scanner icon indicating copy to clipboard operation
S3Scanner copied to clipboard

Published 20 hours ago verified publisher icon sa7mon

bug: only anonymous permissions checked properly

Open sa7mon opened this issue 1 year ago • 2 comments

Bug

The default AWS credentials file ~/.aws/credentials is not being read, thus only checks for anonymous permissions are being made. AuthUsers in the output will likely always be [] - meaning "no permissions". This can be a false negative.

Reproduction

  • Create a bucket in AWS S3 with no READ permissions (except implicit permission to the owner)
  • Configure credentials with aws configure
  • Run s3scanner -bucket your-bucket-here
  • Observe the output INFO exists | your-bucket-here | us-east-1 | AuthUsers: [] | AllUsers: []

Expected output

INFO exists | s3scanner-private | us-east-1 | AuthUsers: [READ, READACP] | AllUsers: []

Thank you to Twitter user @thaivd98 for reporting this.

sa7mon avatar Jun 14 '24 02:06 sa7mon