loading
loading
Recon
A multi-cloud enumeration utility for AWS, Azure, and GCP.
overview
cloud-enum hunts for public cloud resources tied to a target by brute-forcing names across AWS, Azure, and Google Cloud at once. Give it a keyword such as a company or product name and it generates candidate bucket, container, and app names, then checks which ones exist and whether they are open. Misconfigured public storage is one of the most common ways data leaks, and cloud-enum is built to find it across all three major providers from a single run.
Mutations and a brute-force list expand a keyword into many realistic variants, while quickscan trims the run to a fast first pass. You can disable any provider you do not care about, point it at a custom nameserver, and choose text, JSON, or CSV output for the log.
On Trickest, cloud-enum is a Recon node that takes a keyword and writes a file and a folder of results. Run it during attack-surface discovery to find exposed cloud assets, then route discovered resources into a cloud-specific scanner or a manual review queue.
use cases
Brute-force bucket and container names from a keyword across AWS, Azure, and GCP to catch public storage a target left open.
Run one keyword against AWS, Azure, and Google so a single pass covers an organization's full multi-cloud footprint.
Point --mutations at a wordlist to generate realistic name variants, widening the search beyond the obvious base name.
Enable quickscan to skip mutations and second-level scans when you want a quick read on a target's exposure.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| keyword | STRING | --keyword | Bruteforce keyword the search is built from. |
| keywords-file | FILE | --keyfile | Input file with a single keyword per line. |
| mutations | FILE | --mutations | Mutations list to expand keywords (default fuzz.txt). |
| brute | FILE | --brute | List to brute-force Azure container names. |
| format | STRING | --format | Format for the log file (text, json, csv). |
| threads | STRING | --threads | Threads for HTTP brute-force (default 5). |
| quickscan | BOOLEAN | --quickscan | Disable all mutations and second-level scans. |
| nameserver | STRING | --nameserver | DNS server to use in the brute-force. |
Showing key inputs. cloud-enum exposes 11 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| brute | FILE | --brute | List to brute-force Azure container names. Default: enum_tools/fuzz.txt |
| format | STRING | --format | Format for log file (text, json, csv - defaults to text) |
| keyword | STRING | --keyword | Bruteforce keyword |
| threads | STRING | --threads | Threads for HTTP brute-force. Default = 5 |
| mutations | FILE | --mutations | Mutations. Default: enum_tools/fuzz.txt |
| quickscan | BOOLEAN | --quickscan | Disable all mutations and second-level scans |
| nameserver | STRING | --nameserver | DNS server to use in brute-force |
| disable-aws | BOOLEAN | --disable-aws | Disable Amazon checks |
| disable-gcp | BOOLEAN | --disable-gcp | Disable Google checks |
| disable-azure | BOOLEAN | --disable-azure | Disable Azure checks |
| keywords-file | FILE | --keyfile | Input file with a single keyword per line |
example
# enumerate public buckets, containers, and apps across all three cloudscloud_enum --keyword example --mutations enum_tools/fuzz.txt --threads 10 --format json[+] Checking for S3 buckets OPEN S3 BUCKET: http://example-dev.s3.amazonaws.com/ PROTECTED S3 BUCKET: http://example-backups.s3.amazonaws.com/[+] Checking for Azure Storage Accounts OPEN AZURE CONTAINER: https://exampleassets.blob.core.windows.net/public/[+] Checking for Google buckets OPEN GOOGLE BUCKET: https://storage.googleapis.com/example-static/ PROTECTED GOOGLE BUCKET: https://storage.googleapis.com/example-logs/[+] All done, 4 open or protected resources across 3 cloudsguidance
Reach for cloud-enum when you want to find public buckets, containers, and apps across AWS, Azure, and GCP from a keyword. It guesses names rather than reading provider accounts, so for listing assets in accounts you control, use cloudlist instead.
Lists assets from cloud accounts you hold credentials for. cloud-enum guesses public names from outside.
Focuses on S3 bucket discovery and permissions. cloud-enum covers AWS, Azure, and GCP together.
Same project upstream. On Trickest this node wraps it for multi-cloud brute-forcing in a workflow.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A keyword feeds cloud-enum, which brute-forces names across AWS, Azure, and GCP and writes the public cloud resources it finds as output.
Facts on this page come from the live Trickest tool library.