AMA: Identify S3 Buckets Open to Cross-Account Attacks


AMA is an ongoing series published each Thursday, highlighting questions the community has asked in our support and how-to channels on Slack. If you haven't already done so, please join us on Slack 

"We have been asked to identify any of our S3 buckets that are exploitable by the resource policy trusting the AWS service blindly and not checking for the source account as described in this article.

"I found buckets that trust CloudTrail, but haven’t been able to decipher the next part of the query to find them if they don’t have the conditional on it. I have had no luck in the serverless realm of this page.

"Is there anyone at J1 that can comment on this and provide some direction?"

--Question from Adam on the J1 Community Slack


Answer from J1 Team

Here is a query that looks for bucket policy permissions to the 3 named services without the conditions restricting it to the same account as the bucket itself.

Find aws_s3_bucket as bucket
that allows Service
with name = ('serverlessrepo' or 'cloudtrail' or 'config')
allows.conditions = undefined or (
allows.conditions !~= 'aws:SourceAccount' and
allows.conditions !~= bucket.accountId

Thanks to Adam for prompting me to write this query.

Articles in this Series

  1. AMA: JupiterOne and PagerDuty WebHooks
  2. AMA: Export YAML Files for Vendors Pulled from SSO Providers
  3. AMA: Map Controls and Frameworks Relationships
  4. AMA: How to Track Professional Associations, Security Forums, and Threat Intel Sources
  5. AMA: Find AWS Instances by their Private IP Address
  6. AMA: SSO Integrated Authentication, Move to Another Role
  7. AMA: send-mail action to map two properties
  8. AMA: Setup the Policy Accept Button
  9. AMA: Match a blank field in J1QL
  10. AMA: Track and Alert Using Firewall Rules Matrix
  11. AMA: AWS Roles not used for 90 days, and date related queries
  12. AMA: Manage Alerts for Jira through J1 Terraform Provider
  13. AMA: Filter Results from Specific AWS Accounts
  14. AMA: Iterate and return total count of iam users per account
  15. AMA: Search for security groups by tag
  16. AMA: Identify S3 Buckets Open to Cross-Account Attacks

Resources for this AMA


Posted By JupiterOne Team

The JupiterOne Team is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

To hear more from the JupiterOne Team, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.



You can manage alerts from Jira in the J1 platform

There are 7 properties that can be included

Other properties can be passed directly to the JIRA API

cyber-security 1

Ad Title Placeholder

Lorem ipsum dolor sit amet, consectetur adipiscing elit.