hqs3scann3r is tool to scan AWS S3 bucket permissions.
- Scans all bucket permissions to find misconfigurations
You can download the pre-built binary for your platform from this repository's releases page, extract, then move it to your $PATHand you're ready to go.
hqs3scann3r requires go1.17+ to install successfully. Run the following command to get the repo
go install -v github.com/hueristiq/hqs3scann3r/cmd/hqs3scann3r@latestgit clone https://github.com/hueristiq/hqs3scann3r.git && \
cd hqs3scann3r/cmd/hqs3scann3r/ && \
go build . && \
mv hqs3scann3r /usr/local/bin/ && \
hqs3scann3r -hNOTE: To use this tool awscli is required to have been installed and configured.
To display help message for hqs3scann3r use the -h flag:
hqs3scann3r -h
_ _____ _____
| |__ __ _ ___|___ / ___ ___ __ _ _ __ _ __ |___ / _ __
| '_ \ / _` / __| |_ \/ __|/ __/ _` | '_ \| '_ \ |_ \| '__|
| | | | (_| \__ \___) \__ \ (_| (_| | | | | | | |___) | |
|_| |_|\__, |___/____/|___/\___\__,_|_| |_|_| |_|____/|_| v1.2.0
|_|
USAGE:
hqs3scann3r [OPTIONS]
OPTIONS:
-c, --concurrency number of concurrent threads (default: 10)
-d, --dump location to dump objects
-iL, --input-list buckets list (use `-iL -` to read from stdin)
-nC, --no-color no color mode (default: false)
-v, --verbose verbose mode
hqs3scann3r takes buckets in the format:
- Name - e.g.
flaws.cloud - URL style - e.g.
s3://flaws.cloud - Path style - e.g
https://s3.amazonaws.com/flaws.cloud - Virtual Hosted style - e.g
flaws.cloud.s3.amazonaws.com
Possible permissions for buckets:
- Read - List and view all files
- Write - Write files to bucket
- Read ACP - Read all Access Control Policies attached to bucket
- Write ACP - Write Access Control Policies to bucket
- Full Control - All above permissions
Issues and Pull Requests are welcome!