From d84930d9470d3d11f025228cb5d2d58a05f9e7ca Mon Sep 17 00:00:00 2001 From: Ayush7614 Date: Thu, 2 Jul 2026 20:14:13 +0530 Subject: [PATCH] Clarify S3 existence vs public listing checks in aws skill Split unauthenticated enumeration into separate head-bucket/HTTP and s3 ls steps with interpretation guidance per review. --- strix/skills/cloud/aws.md | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/strix/skills/cloud/aws.md b/strix/skills/cloud/aws.md index bb0a515..df7a345 100644 --- a/strix/skills/cloud/aws.md +++ b/strix/skills/cloud/aws.md @@ -40,12 +40,28 @@ AWS misconfigurations frequently expose credentials, data, and lateral movement - Hardcoded keys in source, mobile apps, JavaScript bundles **Unauthenticated Enumeration** + +Use two separate checks — they answer different questions and must not be conflated: + +**1. Bucket existence (does the name resolve?)** + +Goal: learn whether a bucket name exists in AWS, without needing `s3:ListBucket`. +- `head-bucket` or `curl -I` HTTP status is the signal — not `aws s3 ls`. +- `403 Forbidden` → bucket exists but you lack access (private or wrong account). +- `404 Not Found` → bucket does not exist in that region, or name is wrong. + ``` -# S3 bucket existence (403 = exists but private, 404 = doesn't exist or different region) aws s3api head-bucket --bucket target-bucket --no-sign-request 2>&1 curl -I https://target-bucket.s3.amazonaws.com/ +``` -# Public listing (confirms s3:ListBucket is granted to AllUsers) +**2. Public listing (is ListBucket granted to anonymous users?)** + +Goal: confirm `s3:ListBucket` is publicly granted — a separate and stronger finding than existence alone. +- Only run `aws s3 ls` for this step; a successful listing returns object keys/prefixes. +- Failure here does not disprove existence (a private bucket still returns 403 on list). + +``` aws s3 ls s3://target-bucket --no-sign-request ```