S3crets Scanner: An Open-source Tool Scans AWS S3 Buckets for Secrets

Data on risk

• Employee or customer information, backups, and other types of data might be accessible to the threat actors.
• A variety of information can be stored and accessed in S3 buckets, such as authentication keys, access tokens, and API keys, in addition to application data and source code.
• If accessed by threat actors, it allows them access to major services or even the company's corporate network.

Scanning S3 for mining secrets

• In an exercise, security researcher Eilon Harel realized that no automated tools were available to scan accidental data leaks. As a result, he came up with a Python tool named S3crets Scanner.
• It performs operations such as listing the bucket content via API queries, downloading the relevant textual files, checking for exposed textual files, forwarding results to SIEM, scanning content for secrets, and using CSPM to get a list of public buckets.

Additional info

• The scanner tool will only list S3 buckets that have the BlockPublicAcls, BlockPublicPolicy, IgnorePublicAcls, and RestrictPublicBuckets configurations set to False.
• Any buckets that were intended to be public are filtered out from the list before the textual files are downloaded.
• To check for credentials and private keys on GitHub, GitLab, filesystems, and S3 buckets, the script uses the Trufflehog3 tool, an improved version of the secrets scanner.

Conclusion