Instagram Linkedin Twitter Youtube
Search
  • Home
  • Pentesting Tools
  • Vulnerability Analysis
  • Information Gathering
  • Web Application Security
  • Forensics
  • Malware
  • OSINT
Instagram Linkedin Twitter Youtube
Kali Linux Tutorials Kali Linux Tutorials
Advertisement
Kali Linux Tutorials Kali Linux Tutorials
Home Kali Linux S3-Account-Search : S3 Account Search
  • Kali Linux

S3-Account-Search : S3 Account Search

By
R K
-
July 7, 2021
S3-Account-Search : S3 Account Search

S3-Account-Search tool lets you find the account id an S3 bucket belongs too.

For this to work you need to have at least one of these permissions:

  • Permission to download a known file from the bucket (s3:getObject).
  • Permission to list the contents of the bucket (s3:ListBucket).

Additionally, you will need a role that you can assume with (one of) these permissions on the bucket you’re examining

Some more background can be found on the Cloudar Blog

Installation

This package is available on pypi, you can for example use on of these commands (pipx is recommended)

pipx install s3-account-search
pip install s3-account-search

Usage Examples

# with a bucket
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket
# with an object
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket/path/to/object.ext
# You can also leave out the s3://
s3-account-search arn:aws:iam::123456789012:role/s3_read my-bucket
# Or start from a specified source profile
s3-account-search –profile source_profile arn:aws:iam::123456789012:role/s3_read s3://my-bucket

How This Works

There is an IAM policy condition s3:ResourceAccount, that is meant to be used to give access to S3 in specified (set of) account(s), but also supports wildcards. By constructing the right patterns, and seeing which ones will lead to a Deny or an Allow, we can determine the account id by discovering it one digit at a time.

  1. We verify that we can access the object or bucket with the provided role
  2. We assume the same role again, but this time add a policy that restricts our access to S3 buckets that exist in an account starting with 0. If our access is allowed we know that the account id has to start with 0. If the request is denied, we try again with 1 as the first digit. We keep incrementing until our request is allowed, and we find the first digit
  3. We repeat this process for every digit. Using the already discovered digits as a prefix. E.g. if the first digit was 8, we test account ids starting with 80, 81, 82, etc.

Development

We use poetry to manage this project

  • Clone this repository
  • Run poetry install
  • Activate the virtual environment with poetry shell (you can also use poetry run $command)

Releasing a new version to pypi

  • Edit pyproject.toml to update the version number
  • Commit the version number bump
  • Run poetry publish --build
  • Push to GitHub
  • Create a new release in GitHub

Possible Improvements

Instead of checking one digit at a time, we could use a binary search-like algorithm. Eg. the following condition is equivalent to s3:ResourceAccount < 500000000000

“Condition”: {
“StringLike”: {“s3:ResourceAccount”: [
“0“, “1“, “2“, “3“, “4*”,
]},
},

  • Similarly, there is a speed improvement possible by checking multiple digits per position in parallel (There is a small risk of being rate limited by STS when using this approach)

In practice this tool should be fast enough in most cases.

Download

Related

  • TAGS
  • S3-Account-Search
Facebook
Twitter
Pinterest
WhatsApp
    Previous articleWAF-A-MoLE : A Guided Mutation-Based Fuzzer For ML-based Web Application Firewalls
    Next articleForblaze : A Python Mac Steganography Payload Generator
    R K
    R K

    RELATED ARTICLESMORE FROM AUTHOR

    file command
    Kali Linux

     The file Command – Quickly Identify File Contents in Linux

    touch command
    Kali Linux

    How to Use the touch Command in Linux

    find command
    Kali Linux

    How to Search Files and Folders in Linux Using the find Command

    MCP

    Understanding the Model Context Protocol (MCP) and How It Works

    0xSnow - October 1, 2025 0
    Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open standard that enables AI applications, such as large language models,...
    file command

     The file Command – Quickly Identify File Contents in Linux

    0xSnow - October 1, 2025 0
    While file extensions in Linux are optional and often misleading, the file command helps decode what a file truly is. This powerful utility analyzes the actual...
    touch command

    How to Use the touch Command in Linux

    0xSnow - October 1, 2025 0
    The touch command is one of the quickest ways to create new empty files or update timestamps for existing files in Linux. It’s widely used by...
    find command

    How to Search Files and Folders in Linux Using the find Command

    0xSnow - October 1, 2025 0
    Handling large numbers of files is routine for Linux users, and that’s where the find command shines. It’s a dynamic tool that helps you search for...
    mv command

    How to Move and Rename Files in Linux with the mv Command

    0xSnow - October 1, 2025 0
    Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy to relocate or rename items without hassle. Whether organizing...
    KALI LINUX TUTORIALS
    Contact us: admin@kalilinuxtutorials.com
    Instagram Linkedin Twitter Youtube

    EVEN MORE NEWS

    MCP

    Understanding the Model Context Protocol (MCP) and How It Works

    October 1, 2025
    file command

     The file Command – Quickly Identify File Contents in Linux

    October 1, 2025
    touch command

    How to Use the touch Command in Linux

    October 1, 2025

    POPULAR CATEGORY

    • Kali Linux2943
    • Cyber security912
    • Hacking Tools300
    • Pentesting Tools197
    • Exploitation Tools144
    • TECH135
    • Vulnerability Analysis116
    • Privacy Policy
    • About
    • Contact US
    © Kalilinuxtutorials.com 2025
    MORE STORIES

    WdToggle : Direct System Calls To Enable WDigest Credential Caching

    March 7, 2021
    cd command

    cd Command in Linux

    September 19, 2025

    Jsleak : A Go Code To Detect Leaks In JS Files...

    August 31, 2021