loading
loading
Discovery
Find suspicious files across a large set of AWS S3 buckets.
overview
aws-s3-data-finder works through a large list of S3 bucket names and, for every one it can list, writes out the first chunk of keys it finds. Among those keys it flags the suspicious files: data backups, PII dumps, and credential files that should never sit in a readable bucket.
It runs authenticated through the AWS CLI, using your account's region, or unauthenticated over plain HTTP against a chosen endpoint, so it covers both buckets you own and public ones you are testing for exposure. Bucket names come from a list, a single name, or candidates you generate with random and brute-force characters, prefixes, and postfixes.
On Trickest, aws-s3-data-finder is a Discovery node that takes a bucket list and writes a file plus a folder, with listable buckets dumped under buckets/ as JSON or XML. Put a bucket-name generator upstream and a secret scanner like noseyparker downstream to confirm what leaked.
use cases
Run a list of candidate bucket names unauthenticated over HTTP to see which ones list, then capture their keys for review.
Dump keys from listable buckets and let the tool flag backups, PII, and credential files instead of reading every object name by hand.
Use the random, brute-force, prefix, and postfix options to expand a seed into many candidate names and probe each one.
Run authenticated through the AWS CLI against your account's region to confirm which buckets are listable and what data they expose.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| buckets-list | FILE | -nl | List of bucket names to run. |
| bucket-name | STRING | -n | A single bucket name to run. |
| unauthenticated | BOOLEAN | --unauthenticated | Run the search unauthenticated, via web request. |
| endpoint | STRING | --endpoint | Endpoint to use for an unauth scan (auth scan uses the awscli region). |
| num-keys | STRING | -nk | Number of keys to get per bucket. |
| characters | STRING | --characters | Characters to run via random or brute force, e.g. abcdefg. |
| prefix-postfix | STRING | -pp | Run with prefixes and/or postfixes: prefix, postfix, or both. |
| realert-previously | BOOLEAN | --realert | Re-alert on previously alerted suspicious files. |
Showing key inputs. aws-s3-data-finder exposes 18 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| verbose | BOOLEAN | -v | Print verbose output (critical messages and errors). |
| very-verbose | BOOLEAN | -vv | Print very verbose output (critical, errors, and warnings). |
| endpoint | STRING | --endpoint | Endpoint to use for an unauth scan; an auth scan uses the region in awscli. |
| num-keys | STRING | -nk | Number of keys to get per bucket. |
| test-mode | BOOLEAN | --test | Test mode that only prints the bucket names being run. |
| characters | STRING | --characters | Characters to run via random or brute force, e.g. abcdefg. |
| bucket-name | STRING | -n | A single bucket name to run. |
| start-after | STRING | -sa | For all-chars mode, start after this string. |
| buckets-list | FILE | -nl | List of bucket names to run. |
| run-all-chars | BOOLEAN | -ac | Run all character combinations. |
| prefix-postfix | STRING | -pp | Run with prefixes and/or postfixes: prefix, postfix, or both. |
| unauthenticated | BOOLEAN | --unauthenticated | Run the search unauthenticated, via web request. |
| ignore-redirects | BOOLEAN | --no_follow_redirect | Do not follow HTTP redirects. |
| rerun-previously | BOOLEAN | --rerun | Rerun previously searched buckets. |
| run-random-chars | BOOLEAN | -rc | Run random characters. |
| bucket-name-length | STRING | -nc | Length of the bucket name to generate. |
| print-bucket-names | BOOLEAN | -p | Print bucket names as you go. |
| realert-previously | BOOLEAN | --realert | Re-alert on previously alerted suspicious files. |
example
# unauthenticated sweep of a candidate bucket list over HTTPaws-s3-data-finder -nl bucket-names.txt --unauthenticated --endpoint https://s3.amazonaws.com -nk 5000[*] Loaded 1200 bucket names, mode=unauthenticated[+] Listable: example-backups (2481 keys)[!] Suspicious (backup): example-backups/db-dump-2026-05.sql.gz[!] Suspicious (pii): example-backups/users-export.csv[+] Listable: example-assets (940 keys)[!] Suspicious (credentials): example-assets/.env.production[*] Wrote buckets/example-backups.json[*] Wrote buckets/example-assets.json[*] Done: 2 listable, 3 suspicious across 1200 namesguidance
Use aws-s3-data-finder to sweep many S3 buckets for readable, sensitive data, authenticated or not. It lists and flags files, it does not deeply parse secrets, so chain a secret scanner after it. For pure existence checks, use s3scanner.
Checks bucket existence and permissions across providers. aws-s3-data-finder goes further and dumps and flags the contents.
Discovers exposed cloud resources broadly, not just S3. Use it to find buckets, then this tool to read them.
Bulk S3 enumeration. A sibling for working through large name lists.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
Crawl a list of domains and scan for endpoints, secrets, API keys, file extensions, tokens, and more.
A bucket-name list feeds aws-s3-data-finder, which dumps keys from readable buckets and passes them to noseyparker to confirm leaked secrets as findings.
Facts on this page come from the live Trickest tool library.