S3-Account-Search tool lets you find the account id an S3 bucket belongs too.
For this to work you need to have at least one of these permissions:
s3:getObject
).s3:ListBucket
).Additionally, you will need a role that you can assume with (one of) these permissions on the bucket you’re examining
Some more background can be found on the Cloudar Blog
Installation
This package is available on pypi, you can for example use on of these commands (pipx is recommended)
pipx install s3-account-search
pip install s3-account-search
Usage Examples
# with a bucket
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket
# with an object
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket/path/to/object.ext
# You can also leave out the s3://
s3-account-search arn:aws:iam::123456789012:role/s3_read my-bucket
# Or start from a specified source profile
s3-account-search –profile source_profile arn:aws:iam::123456789012:role/s3_read s3://my-bucket
How This Works
There is an IAM policy condition s3:ResourceAccount
, that is meant to be used to give access to S3 in specified (set of) account(s), but also supports wildcards. By constructing the right patterns, and seeing which ones will lead to a Deny or an Allow, we can determine the account id by discovering it one digit at a time.
0
. If our access is allowed we know that the account id has to start with 0
. If the request is denied, we try again with 1
as the first digit. We keep incrementing until our request is allowed, and we find the first digit8
, we test account ids starting with 80
, 81
, 82
, etc.Development
We use poetry to manage this project
poetry install
poetry shell
(you can also use poetry run $command
)Releasing a new version to pypi
poetry publish --build
Possible Improvements
Instead of checking one digit at a time, we could use a binary search-like algorithm. Eg. the following condition is equivalent to s3:ResourceAccount < 500000000000
“Condition”: {
“StringLike”: {“s3:ResourceAccount”: [
“0“, “1“, “2“, “3“, “4*”,
]},
},
In practice this tool should be fast enough in most cases.
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…
Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…