> ## Documentation Index
> Fetch the complete documentation index at: https://pentest-tools.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Cloud Scanner

> Discover misconfigurations and vulnerabilities in cloud storage and services

## Overview

The Cloud Scanner identifies misconfigurations and vulnerabilities in cloud environments, focusing on AWS S3 buckets and Google Cloud Storage. It detects public access issues, overly permissive configurations, and interesting files that may expose sensitive data.

The Cloud Scanner is a **vulnerability scanner**: it actively tests cloud resources for security weaknesses. It does not add data to your [Attack Surface](/capabilities/attack-surface). Identified vulnerabilities are reported as [findings](/core/findings/findings).

## Supported targets

| Target type    | Examples                                                                       |
| -------------- | ------------------------------------------------------------------------------ |
| **IP address** | `192.168.1.1`                                                                  |
| **Hostname**   | `example.com`, `mybucket.s3.amazonaws.com`                                     |
| **URL**        | `https://mybucket.s3.amazonaws.com`, `https://storage.googleapis.com/mybucket` |

### Cloud storage URLs

You can scan cloud storage buckets directly using their URLs:

| Provider                 | URL format                                     |
| ------------------------ | ---------------------------------------------- |
| **AWS S3**               | `https://<bucket_name>.s3.amazonaws.com`       |
| **Google Cloud Storage** | `https://storage.googleapis.com/<bucket_name>` |

## Supported cloud providers

| Provider         | Detection | Vulnerability scanning            |
| ---------------- | --------- | --------------------------------- |
| **AWS**          | ✅         | ✅ S3 bucket misconfigurations     |
| **Google Cloud** | ✅         | ✅ Cloud Storage misconfigurations |
| **Azure**        | ✅         | Coming soon                       |

## Scan options

The Cloud Scanner has two configurable options (both enabled by default):

| Option                           | Description                                                            |
| -------------------------------- | ---------------------------------------------------------------------- |
| **Detect cloud provider**        | Identifies which cloud provider hosts the target by checking IP ranges |
| **Detect cloud vulnerabilities** | Scans for misconfigurations and security issues                        |

<Note>
  If "Detect cloud provider" is disabled, the scanner tests for vulnerabilities across all supported providers. If enabled, it only tests for issues specific to the detected provider.
</Note>

## What it detects

### AWS S3

| Check                     | Description                                   |
| ------------------------- | --------------------------------------------- |
| **Public bucket listing** | Bucket contents can be enumerated             |
| **Public read access**    | Objects can be read without authentication    |
| **Public write access**   | Objects can be uploaded or modified           |
| **ACL misconfigurations** | Overly permissive access control lists        |
| **Interesting files**     | Sensitive files like wp-config, backups, keys |

### Google Cloud Storage

| Check                                | Description                                       |
| ------------------------------------ | ------------------------------------------------- |
| **Public bucket access**             | Bucket accessible without authentication          |
| **IAM policy issues**                | `allUsers` or `allAuthenticatedUsers` permissions |
| **Bucket ACL**                       | Overly permissive access control                  |
| **Uniform access not enabled**       | Legacy ACL mode in use                            |
| **Logging not enabled**              | Access logging disabled                           |
| **Versioning/retention not enabled** | No protection against accidental deletion         |
| **Encryption not configured**        | Using default encryption only                     |
| **Lifecycle rules missing**          | No automated object management                    |
| **Interesting files**                | Sensitive files exposed in the bucket             |

## How it works

The Cloud Scanner performs these steps:

1. **Target resolution**: Resolves the target to an IP address
2. **Provider detection**: Checks IP ranges to identify AWS, GCP, or Azure
3. **Bucket discovery**: Identifies storage buckets from the target
4. **Permission testing**: Tests what operations are allowed (read, write, list)
5. **Configuration analysis**: Checks security settings like ACLs, IAM policies, encryption
6. **Interesting file search**: Looks for sensitive filenames in accessible buckets

## Follow-up actions

After discovering cloud misconfigurations:

* **Restrict public access**: Remove `allUsers` and `allAuthenticatedUsers` permissions
* **Enable bucket-level security**: Use uniform bucket-level access (GCP) or block public access (AWS)
* **Enable logging**: Track access to sensitive buckets
* **Review sensitive files**: Check if exposed files contain credentials or PII
* **Run [Network Scanner](/tools/network-scanner)**: Test the underlying infrastructure
* **Run [Subdomain Finder](/tools/subdomain-finder)**: Discover additional cloud-hosted assets
