S3cret Scannertool designed to provide a complementary layer for the Amazon S3 Security Best Practices by proactively hunting secrets in public S3 buckets.
- Can be executed as
The automation will perform the following actions:
- List the public buckets in the account (Set with ACL of
objects can be public)
- List the textual or sensitive files (i.e.
- Download, scan (using truffleHog3) and delete the files from disk, once done evaluating, one by one.
- The logs will be created in
- Python 3.6 or above
- TruffleHog3 installed in $PATH
- An AWS role with the following permissions:
- If you’re using a CSV file – make sure to place the file
csvdirectory, in the following format:
Account name,Account id
Use pip to install the needed requirements.
# Clone the repo
git clone <repo>
# Install requirements
pip3 install -r requirements.txt
# Install trufflehog3
pip3 install trufflehog3
|-p, –aws_profile||The aws profile name for the access keys||✓|
|-r, –scanner_role||The aws scanner’s role name||✓|
|-m, –method||internal||the scan type||✓|
|-l, –last_modified||1-365||Number of days to scan since the file was last modified; Default – 1||✗|
python3 main.py -p secTeam -r secteam-inspect-s3-buckets -l 1
Pull requests and forks are welcome. For major changes, please open an issue first to discuss what you would like to change.