Overview
The Cloud Scanner identifies misconfigurations and vulnerabilities in cloud environments, focusing on AWS S3 buckets and Google Cloud Storage. It detects public access issues, overly permissive configurations, and interesting files that may expose sensitive data.
The Cloud Scanner is a vulnerability scanner: it actively tests cloud resources for security weaknesses. It does not add data to your Attack Surface. Identified vulnerabilities are reported as findings.
Supported targets
| Target type | Examples |
|---|
| IP address | 192.168.1.1 |
| Hostname | example.com, mybucket.s3.amazonaws.com |
| URL | https://mybucket.s3.amazonaws.com, https://storage.googleapis.com/mybucket |
Cloud storage URLs
You can scan cloud storage buckets directly using their URLs:
| Provider | URL format |
|---|
| AWS S3 | https://<bucket_name>.s3.amazonaws.com |
| Google Cloud Storage | https://storage.googleapis.com/<bucket_name> |
Supported cloud providers
| Provider | Detection | Vulnerability scanning |
|---|
| AWS | ✅ | ✅ S3 bucket misconfigurations |
| Google Cloud | ✅ | ✅ Cloud Storage misconfigurations |
| Azure | ✅ | Coming soon |
Scan options
The Cloud Scanner has two configurable options (both enabled by default):
| Option | Description |
|---|
| Detect cloud provider | Identifies which cloud provider hosts the target by checking IP ranges |
| Detect cloud vulnerabilities | Scans for misconfigurations and security issues |
If “Detect cloud provider” is disabled, the scanner tests for vulnerabilities across all supported providers. If enabled, it only tests for issues specific to the detected provider.
What it detects
AWS S3
| Check | Description |
|---|
| Public bucket listing | Bucket contents can be enumerated |
| Public read access | Objects can be read without authentication |
| Public write access | Objects can be uploaded or modified |
| ACL misconfigurations | Overly permissive access control lists |
| Interesting files | Sensitive files like wp-config, backups, keys |
Google Cloud Storage
| Check | Description |
|---|
| Public bucket access | Bucket accessible without authentication |
| IAM policy issues | allUsers or allAuthenticatedUsers permissions |
| Bucket ACL | Overly permissive access control |
| Uniform access not enabled | Legacy ACL mode in use |
| Logging not enabled | Access logging disabled |
| Versioning/retention not enabled | No protection against accidental deletion |
| Encryption not configured | Using default encryption only |
| Lifecycle rules missing | No automated object management |
| Interesting files | Sensitive files exposed in the bucket |
How it works
The Cloud Scanner performs these steps:
- Target resolution: Resolves the target to an IP address
- Provider detection: Checks IP ranges to identify AWS, GCP, or Azure
- Bucket discovery: Identifies storage buckets from the target
- Permission testing: Tests what operations are allowed (read, write, list)
- Configuration analysis: Checks security settings like ACLs, IAM policies, encryption
- Interesting file search: Looks for sensitive filenames in accessible buckets
Follow-up actions
After discovering cloud misconfigurations:
- Restrict public access: Remove
allUsers and allAuthenticatedUsers permissions
- Enable bucket-level security: Use uniform bucket-level access (GCP) or block public access (AWS)
- Enable logging: Track access to sensitive buckets
- Review sensitive files: Check if exposed files contain credentials or PII
- Run Network Scanner: Test the underlying infrastructure
- Run Subdomain Finder: Discover additional cloud-hosted assets
