loading
loading
Cloud Storage
Finds open S3 buckets and dumps their contents.
overview
S3Scanner takes a list of candidate bucket names and reports which are misconfigured, then optionally pulls down what is inside. Open or world-readable object storage is a recurring source of data exposure, so it turns a raw candidate list into a per-bucket verdict: the permissions each one grants and, with dumping on, the files it leaks.
Scan mode checks bucket permissions without reading the contents; dump mode downloads what an open bucket holds. It reads names from a file with --buckets-file and threads the work so a long list clears quickly, while --endpoint-url and --endpoint-address-style point it at S3-compatible stores beyond AWS.
Reach for S3Scanner once you already hold bucket names, from cloud_enum discovery or s3reverse normalization. It confirms exposure and captures evidence in one pass, then writes a file and a folder you can route to the rest of a workflow.
source github.com/sa7mon/S3Scanner
use cases
Run scan mode over a file of bucket names to learn which grant public read or write access, without touching their contents.
Enable dump mode to download what an exposed bucket holds, capturing evidence of the data that was reachable.
Set --endpoint-url and --endpoint-address-style to check buckets on non-AWS object stores that speak the S3 API.
Raise --threads so a long list of bucket names produced by discovery is checked in parallel rather than one at a time.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| buckets-file | FILE | --buckets-file | File containing bucket names, one per line. |
| scan | BOOLEAN | scan | Scan bucket permissions. |
| dump | BOOLEAN | dump | Dump the contents of open buckets. |
| threads | STRING | --threads | Number of threads to use (default 4). |
| endpoint-url | STRING | --endpoint-url | Endpoint URL for an S3-compatible provider. |
| endpoint-address-style | STRING | --endpoint-address-style | Endpoint address style: path or vhost. |
Showing key inputs. s3scanner exposes 7 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| scan | BOOLEAN | scan | Scan bucket permissions. |
| dump | BOOLEAN | dump | Dump the contents of open buckets. |
| buckets-file | FILE | --buckets-file | File containing bucket names, one per line. |
| threads | STRING | --threads | Number of threads to use (default 4). |
| endpoint-url | STRING | --endpoint-url | Endpoint URL for an S3-compatible provider. |
| endpoint-address-style | STRING | --endpoint-address-style | Endpoint address style: path or vhost. |
| insecure | BOOLEAN | --insecure | Do not verify SSL certificates. |
example
# scan a candidate bucket list with 8 threadss3scanner --buckets-file candidate-buckets.txt --threads 8 scanexample-static-assets | bucket_exists | AllUsers: [READ] | AuthUsers: []example-app-backups | bucket_exists | AllUsers: [READ, WRITE] | AuthUsers: [FULL_CONTROL]example-user-uploads | bucket_exists | AllUsers: [] | AuthUsers: [READ]example-terraform-state | bucket_exists | AllUsers: [] | AuthUsers: []example-cdn-logs | bucket_not_exists | |example-media-prod | bucket_exists | AllUsers: [READ, READ_ACP] | AuthUsers: []example-legacy-site | bucket_exists | AllUsers: [READ] | AuthUsers: []example-invoices | bucket_exists | AllUsers: [] | AuthUsers: [WRITE]guidance
Use S3Scanner when you have bucket names and need to confirm which are exposed and capture their contents. It does not discover or normalize bucket references, so feed it from cloud_enum and s3reverse upstream.
Normalizes mixed bucket references into one format before scanning, an upstream companion.
Discovers cloud storage across AWS, Azure, and GCP to produce candidate buckets.
Brute-forces S3 bucket names from permutations to surface new targets.
faq
related
A file of bucket names feeds S3Scanner, which checks each one's permissions and dumps the open buckets, writing the exposed results as a queryable output.
Facts on this page come from the live Trickest tool library.