Video: Internal S3 Buckets Exposed to the Public

January 21, 2021 | IN AWS, Blog, Query, Video | BY Akash Ganapathi

This is one in a series of short, simple J1 queries that will help you interrogate your AWS environments. The JupiterOne platform used to run these queries is free.

In this J1 Query Example, we’re going to see how to find public S3 buckets that are not supposed to be public. We’ll also confirm that those that are found have not been classified as public and why it has been allowed to be exposed as public.

Cut-and-Paste Query

Here’s the query you can use to cut-and-paste into your J1 instance. Watch JupiterOne technical expert, Akash Ganapathi, walk through the example query and then display the results in real time. If you find this useful, give us some contact info at the bottom of this page and we’ll send you twice a month updates as we continue to explore various environments with JupiterOne. You’ll also receive a personal invitation to a hands-on J1 Query Workshop in March.

FIND aws_s3_bucket 
   WITH classification != 'public' AND
      ignorePublicAcls != true AND 
      restrictPublicBuckets != true
   AS bucket
   THAT ALLOWS AS grant everyone
   bucket.displayName, bucket.tag.AccountName, bucket.classification,
   grant.permission, grant.granteeType, grant.granteeURI



Contribute your J1 Query to the Community

We will frequently be adding cut-and-paste J1 queries to our gallery. Join the community and every two weeks we’ll send you a list of new queries. You can contribute your own queries for inclusion and examination in an upcoming article. Use the form below to join us.