bug: only anonymous permissions checked properly

sa7mon commented 2 months ago

Bug

The default AWS credentials file ~/.aws/credentials is not being read, thus only checks for anonymous permissions are being made. AuthUsers in the output will likely always be [] - meaning "no permissions". This can be a false negative.

Reproduction

Create a bucket in AWS S3 with no READ permissions (except implicit permission to the owner)
Configure credentials with aws configure
Run s3scanner -bucket your-bucket-here
Observe the output INFO exists | your-bucket-here | us-east-1 | AuthUsers: [] | AllUsers: []

Expected output

INFO exists | s3scanner-private | us-east-1 | AuthUsers: [READ, READACP] | AllUsers: []

Thank you to Twitter user @thaivd98 for reporting this.

thaivd98 commented 2 months ago

thank bro :D hope it will be fixed soon 🤪

sa7mon commented 3 weeks ago

Notes

https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/auth/#identityresolver https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/aws#AnonymousCredentials https://github.com/aws/aws-sdk-go-v2/blob/main/aws/credentials.go#L119 https://stackoverflow.com/questions/72452261/changing-the-default-authentication-methods-in-the-aws-go-sdk-v2 https://github.com/aws/aws-sdk-go-v2/blob/aa796dc315dececa534dce6a2df7cd303307a0aa/config/env_config.go#L20 https://sourcegraph.com/github.com/aws/aws-sdk-go-v2@main/-/blob/internal/shareddefaults/shared_config.go?L16:6-16:31#tab=references https://github.dev/aws/aws-sdk-go-v2/blob/aa796dc315dececa534dce6a2df7cd303307a0aa/internal/shareddefaults/shared_config.go#L14 https://github.com/aws/aws-sdk-go-v2/blob/main/config/shared_config.go

https://news.ycombinator.com/item?id=40531301 https://news.ycombinator.com/item?id=40533318

sa7mon / S3Scanner

bug: only anonymous permissions checked properly #328