S3cret Scanner
tool designed to provide a complementary layer for the Amazon S3 Security Best Practices by proactively hunting secrets in public S3 buckets.- Can be executed as
scheduled task
orOn-Demand
Automation workflow
The automation will perform the following actions:
- List the public buckets in the account (Set with ACL of
Public
orobjects can be public
) - List the textual or sensitive files (i.e.
.p12
,.pgp
and more) - Download, scan (using truffleHog3) and delete the files from disk, once done evaluating, one by one.
- The logs will be created in
logger.log
file.
Prerequisites
- Python 3.6 or above
- TruffleHog3 installed in $PATH
- An AWS role with the following permissions:
{ “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “VisualEditor0”, “Effect”: “Allow”, “Action”: [ “s3:GetLifecycleConfiguration”, “s3:GetBucketTagging”, “s3:ListBucket”, “s3:GetAccelerateConfiguration”, “s3:GetBucketPolicy”, “s3:GetBucketPublicAccessBlock”, “s3:GetBucketPolicyStatus”, “s3:GetBucketAcl”, “s3:GetBucketLocation” ], “Resource”: “arn:aws:s3:::" }, { “Sid”: “VisualEditor1”, “Effect”: “Allow”, “Action”: “s3:ListAllMyBuckets”, “Resource”: "” } ] }
- If you’re using a CSV file - make sure to place the file
accounts.csv
in thecsv
directory, in the following format:
Account name,Account id
prod,123456789
ci,321654987
dev,148739578
Getting started
Use pip to install the needed requirements.
Clone the repo git clone # Install requirements pip3 install -r requirements.txt # Install trufflehog3 pip3 install trufflehog3
Usage
Argument | Values | Description | Required |
---|---|---|---|
-p, --aws_profile | The aws profile name for the access keys | âś“ | |
-r, --scanner_role | The aws scanner’s role name | ✓ | |
-m, --method | internal | the scan type | âś“ |
-l, --last_modified | 1-365 | Number of days to scan since the file was last modified; Default - 1 | âś— |
Usage Examples
python3 main.py -p secTeam -r secteam-inspect-s3-buckets -l 1
Demo
References
Contributing
Pull requests and forks are welcome. For major changes, please open an issue first to discuss what you would like to change.