S3cret Scannertool designed to provide a complementary layer for the Amazon S3 Security Best Practices by proactively hunting secrets in public S3 buckets.- Can be executed as
scheduled taskorOn-Demand
Automation workflow
The automation will perform the following actions:
- List the public buckets in the account (Set with ACL of
Publicorobjects can be public) - List the textual or sensitive files (i.e.
.p12,.pgpand more) - Download, scan (using truffleHog3) and delete the files from disk, once done evaluating, one by one.
- The logs will be created in
logger.logfile.
Prerequisites
- Python 3.6 or above
- TruffleHog3 installed in $PATH
- An AWS role with the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicyStatus",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}- If you’re using a CSV file – make sure to place the file
accounts.csvin thecsvdirectory, in the following format:
Account name,Account id
prod,123456789
ci,321654987
dev,148739578
Getting started
Use pip to install the needed requirements.
Usage
| Argument | Values | Description | Required |
|---|---|---|---|
| -p, –aws_profile | The aws profile name for the access keys | ✓ | |
| -r, –scanner_role | The aws scanner’s role name | ✓ | |
| -m, –method | internal | the scan type | ✓ |
| -l, –last_modified | 1-365 | Number of days to scan since the file was last modified; Default – 1 | ✗ |
Usage Examples
python3 main.py -p secTeam -r secteam-inspect-s3-buckets -l 1
Demo
Contributing
Pull requests and forks are welcome. For major changes, please open an issue first to discuss what you would like to change.
