S3 Enumeration by Account ID Update

[mosesrenegade]

I was doing a workshop and needed help figuring out why the s3-account-finder tool was not working. It turns out that new buckets do not work with this Terraform Policy:

resource "aws_s3_bucket_policy" "example" {
  bucket = aws_s3_bucket.example.id
  policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Sid" : "PublicReadGetObject",
          "Effect" : "Allow",
          "Principal" : "*",
          "Action" : "s3:GetObject",
          "Resource" : "arn:aws:s3:::${aws_s3_bucket.example.id}/*"
        }
      ]
    }
  )
}

Instead, I also had to add the ACLs from Amazon that enabled READ into the bucket, which in Terraform is expressed like so:

resource "aws_s3_bucket_ownership_controls" "example" {
  bucket = aws_s3_bucket.example.id
  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.example.id

  block_public_acls       = false
  block_public_policy     = false
  ignore_public_acls      = false
  restrict_public_buckets = false
}

resource "aws_s3_bucket_acl" "example" {
  bucket = aws_s3_bucket.example.id
  acl    = "public-read"

  depends_on = [
    aws_s3_bucket_ownership_controls.example,
    aws_s3_bucket_public_access_block.example
  ]
}

This means there is no account enumeration through this method currently without this part of the policy.

Please reference this PR for the change:

https://github.com/Hacking-the-Cloud/hackingthe.cloud/pull/395

[Frichetten]

Thank you for opening a PR for this! I was not aware that this behavior has changed. I need to implement https://github.com/Hacking-the-Cloud/hackingthe.cloud/issues/389 which I think will largely replace this. I have merged the PR you referenced.