Listen to this Post
Introduction
Misconfigured cloud storage buckets remain one of the most pervasive and dangerous security vulnerabilities in modern cloud infrastructure. From the infamous Capital One breach to countless data leaks exposing millions of customer records, publicly accessible S3 buckets have become a goldmine for attackers and a nightmare for security teams. S3Scanner—an open-source, multi-threaded tool developed by security researcher Dan Salmon—empowers penetration testers, bug hunters, and security engineers to systematically identify and assess misconfigured S3 buckets across AWS, GCP, DigitalOcean, and other S3-compatible storage providers.
Learning Objectives
- Objective 1: Understand the architecture and capabilities of S3Scanner for detecting publicly exposed cloud storage buckets.
- Objective 2: Master the installation, configuration, and operational usage of S3Scanner across Linux, Windows, and containerized environments.
- Objective 3: Learn to interpret S3Scanner’s permission results and integrate findings into vulnerability assessment and remediation workflows.
1. Understanding S3Scanner: Architecture and Core Capabilities
S3Scanner is a Go-based utility designed to scan for misconfigured S3 buckets across multiple cloud providers and S3-compatible APIs. Unlike simple bucket existence checkers, S3Scanner performs comprehensive permission auditing to identify exactly what level of access anonymous users have.
Supported Providers
The tool natively supports seven storage providers:
- AWS (default)
- DigitalOcean Spaces
- DreamHost DreamObjects
- GCP (Google Cloud Storage)
- Linode Object Storage
- Scaleway Object Storage
- Custom (for any S3-compatible API, including MinIO, Vultr, and on-premises storage)
Permission Scanning
S3Scanner evaluates buckets against five key permission categories:
- Read – List and view all files in the bucket
- Write – Upload and modify files in the bucket
- Read ACP – Read Access Control Policies attached to the bucket
- Write ACP – Write Access Control Policies to the bucket
- Full Control – All of the above permissions
Crucially, the tool distinguishes between Authenticated Users (those with AWS credentials) and Public Users (those without credentials). A bucket that allows public read access represents an immediate data exposure risk, while public write access enables ransomware-style attacks.
2. Installation Methods Across Platforms
S3Scanner offers installation options for virtually every major operating system and package manager:
Linux (Debian/Ubuntu/Kali/Parrot)
Kali Linux and Parrot OS sudo apt install s3scanner BlackArch sudo pacman -S s3scanner NixOS nix-shell -p s3scanner
macOS
brew install s3scanner
Windows
Using Windows Package Manager winget install s3scanner
Docker (Cross-Platform)
docker run ghcr.io/sa7mon/s3scanner [bash]
Build from Source
git clone [email protected]:sa7mon/S3Scanner.git cd S3Scanner go build -o s3scanner .
3. Basic Usage and Command-Line Flags
S3Scanner requires exactly one input method: a single bucket, a file of bucket names, or a RabbitMQ queue.
Scan a Single Bucket
s3scanner -bucket secret_uploads
Scan Multiple Buckets from a File
Create a file with one bucket name per line cat names.txt bucket123 assets image-uploads s3scanner -bucket-file names.txt
Bucket names listed multiple times are deduplicated and scanned only once.
Specify a Cloud Provider
Scan a bucket in GCP s3scanner -provider gcp -bucket my-gcp-bucket Scan a bucket in DigitalOcean s3scanner -provider digitalocean -bucket my-do-space Scan a bucket in Scaleway s3scanner -provider scaleway -bucket my-scaleway-bucket
Enumerate Objects
By default, S3Scanner only checks bucket permissions. The `-enumerate` flag enables object listing (can be time-consuming for large buckets):
s3scanner -bucket attachments -enumerate
Note: S3Scanner requests pages of 1,000 objects and skips after 5,000 pages (5 million objects) to prevent DoS.
Adjust Threading
Increase to 8 concurrent threads for faster scanning s3scanner -bucket-file names.txt -threads 8
Increasing threads accelerates bucket checks but does not speed up object enumeration, which remains single-threaded per bucket.
4. Advanced Configuration: Config File and Custom Providers
For features like database persistence, RabbitMQ integration, and custom providers, S3Scanner requires a `config.yml` file. The tool searches for this file in three locations:
1. Current directory (`.`)
2. `/etc/s3scanner/`
3. `$HOME/.s3scanner/`
PostgreSQL Database Integration
db: uri: "postgresql://user:[email protected]:5432/schema_name"
Save results to a database with:
s3scanner -bucket images -db
S3Scanner uses Gorm’s Auto-Migration feature, so it’s recommended to use a dedicated schema.
RabbitMQ Integration for Automated Scanning
mq: queue_name: "aws" uri: "amqp://user:pass@localhost:5672"
Consume bucket names from a RabbitMQ queue:
s3scanner -mq
Messages must be JSON-encoded `Bucket` objects.
Custom Provider Configuration
Target any S3-compatible API (e.g., Vultr, MinIO, or on-premises storage):
providers: custom: address_style: "path" or "vhost" endpoint_format: "https://$REGION.vultrobjects.com" insecure: false regions: - "ewr1" - "sfo1"
The tool replaces `$REGION` with each listed region to generate endpoint URLs.
5. JSON Output and Data Processing
For integration with SIEM tools, automation scripts, or data pipelines, S3Scanner supports JSON output:
s3scanner -bucket-file names.txt -json | jq '.'
Practical jq Examples
List all buckets that exist with their region:
s3scanner -bucket-file names.txt -json | jq -r '. | select(.bucket.exists==1) | [.bucket.name, .bucket.region] | join(" - ")'
Output: `10000 – eu-west-1`
Filter buckets with public read access:
s3scanner -bucket-file names.txt -json | jq 'select(.permissions.public.read==true) | .bucket.name'
Export findings to CSV:
s3scanner -bucket-file names.txt -json | jq -r '[.bucket.name, .bucket.region, .permissions.public.read] | @csv' > findings.csv
6. Development Environment and Debugging
S3Scanner includes a Docker Compose setup for development and debugging:
Standard development environment make dev Development with mitmproxy for HTTP traffic inspection make dev-mitm
Access the app container:
docker exec -it -w /app app_dev sh go run .
When using the `dev-mitm` profile, open `http://127.0.0.1:8081` in a browser to view and manipulate HTTP calls—invaluable for debugging provider integrations or adding new S3-compatible APIs.
7. Interpreting Permission Results and Security Implications
S3Scanner’s permission output requires careful interpretation:
| Permission | Public Risk | Authenticated Risk |
||-|-|
| Read | Data exposure (PII, credentials, source code) | Insider threat or compromised credential risk |
| Write | Ransomware, data injection, malware hosting | Data tampering, backdoor insertion |
| Read ACP | Policy enumeration for privilege escalation | Policy reconnaissance |
| Write ACP | Policy manipulation, privilege escalation | Complete access control takeover |
| Full Control | Complete bucket compromise | Complete bucket compromise |
Critical Insight: A bucket that does not allow reading/writing ACLs may still allow reading/writing files. Conversely, ACL listing may be permitted even when file access is denied. Always verify permissions by attempting actual read/write operations during penetration testing.
What Undercode Say
- Key Takeaway 1: Misconfigured cloud storage is consistently among the OWASP Top 10 cloud risks. S3Scanner automates the discovery process, enabling security teams to identify exposures before attackers do. With support for seven major providers and custom endpoints, it’s the most versatile open-source tool in this space.
-
Key Takeaway 2: The tool’s multi-threaded architecture, JSON output, and database/RabbitMQ integration make it suitable for both ad-hoc penetration testing and enterprise-scale continuous monitoring. The ability to pipe JSON output through `jq` allows seamless integration with existing security dashboards and alerting systems.
Analysis: S3Scanner represents a mature, community-vetted solution with over 3,100 GitHub stars and 408 forks. Its September 2024 release (v3.1.1) demonstrates active maintenance. The tool’s primary limitation is that enumeration remains single-threaded per bucket, which can be slow for buckets with millions of objects—a trade-off for API rate limiting and stability. Security practitioners should pair S3Scanner with cloud-1ative tools like AWS Trusted Advisor and GCP Security Command Center for comprehensive coverage. The custom provider support is particularly valuable for organizations using hybrid or multi-cloud architectures with MinIO or other S3-compatible storage.
Prediction
+1 As multi-cloud adoption accelerates through 2026, S3Scanner’s custom provider functionality will become increasingly critical. Organizations running Kubernetes workloads across AWS, GCP, and on-premises MinIO clusters will standardize on tools like S3Scanner for unified security posture management.
+1 The growing bug bounty ecosystem will drive further development of S3Scanner, with community-contributed provider modules for emerging object storage services. Expect support for Cloudflare R2, Backblaze B2, and Wasabi within the next 12 months.
-1 Attackers are already weaponizing tools like S3Scanner for reconnaissance at scale. The democratization of bucket scanning means defensive teams must adopt proactive monitoring—passive security is no longer sufficient when enumeration tools are freely available.
+1 Integration with CI/CD pipelines will become standard practice. Security teams will implement S3Scanner as a pre-deployment gate, scanning for bucket misconfigurations before infrastructure-as-code changes are applied to production environments.
-1 The rise of AI-generated bucket naming conventions (e.g., model-weights-2026-01-15) may temporarily reduce the effectiveness of dictionary-based bucket name lists. However, S3Scanner’s RabbitMQ integration enables dynamic, event-driven scanning that can adapt to naming patterns.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Omar Aljabr – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
