> For the complete documentation index, see [llms.txt](https://gitbook.cdxiaodong.life/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gitbook.cdxiaodong.life/yun-an-quan/aws/s3.md). # Amazon S3 ## Amazon S3 概述 Amazon Simple Storage Service (Amazon S3) 是一种对象存储,具有简单的 Web 服务接口,用于存储和检索任何数量的数据。它为任何开发人员提供访问 Amazon 用于运行其自身全球网站网络的相同高度可扩展、可靠、快速、廉价的数据存储基础设施。 {% embed url="" %} ### S3 存储桶 要在 Amazon S3 中存储对象,您需要创建一个存储桶,然后将对象上传到该存储桶。 {% hint style="info" %} 存储桶是对象的容器。对象是文件以及描述该文件的任何元数据。 {% endhint %} 当对象在存储桶中时,您可以打开、下载和移动它。当您不再需要对象或存储桶时,可以清理您的资源。 Amazon S3 存储桶名称是全局唯一的,命名空间由所有 AWS 账户共享。这意味着存储桶创建后,在该存储桶被删除之前,其他 AWS 账户在任何 AWS 区域都不能使用该存储桶的名称。 ### 寻址模型 有两种寻址模型可以访问存储桶: * `虚拟托管样式`: ```http https://.s3..amazonaws.com/ ``` * `路径样式`: ```http https://s3..amazonaws.com// ``` ### 访问控制列表 Amazon S3 访问控制列表 (ACL) 使您能够管理对存储桶和对象的访问。每个存储桶和对象都有一个 ACL 作为子资源附加到其上。它定义了哪些 AWS 账户或组被授予访问权限以及访问类型。当收到对资源的请求时,Amazon S3 会检查相应的 ACL 以验证请求者是否具有必要的访问权限。 {% embed url="" %} ## 安全问题 ### 存储桶接管 如果应用程序使用已由开发人员删除的域链接 S3 存储桶,并且来自 [Amazon Route 53](https://aws.amazon.com/route53/) 的 CNAME 记录仍在等待删除,您可以使用其他 AWS 账户认领这个未声明的 S3 存储桶名称。 要验证存储桶接管是否可能,请运行: ```bash $ curl -s https:// | grep -E -q 'NoSuchBucket|
  • Code: NoSuchBucket
    • ' && echo "Subdomain takeover may be possible" || echo "Subdomain takeover is not possible" ``` 参考资料: * [实践 AWS S3 存储桶接管](https://blog.securelayer7.net/hands-on-aws-s3-bucket-account-takeover-vulnerability/) * [子域接管 — AWS S3 存储桶](https://towardsaws.com/subdomain-takeover-aws-s3-bucket-4699815d1b62) * [技术分析:https://github.com/reddit/rpan-studio/blob/e1782332c75ecb2f774343258ff509788feab7ce/CI/full-build-macos.sh 中展示的 S3 存储桶接管](https://hackerone.com/reports/1285598) ### 不正确的 ACL 权限 如果 ACL 权限配置错误,您可以获得对存储桶的未认证访问。此外,此类权限可能允许您读取和修改对象。 ```bash # 配置 AWS CLI $ aws configure # 列出存储桶内容 $ aws s3 ls s3:/// # 从存储桶复制 file.txt $ aws s3 cp s3:///file.txt # 从存储桶删除 file.txt $ aws s3 rm s3:///file.txt ``` 您可以使用以下工具来自动化该过程: * [S3Scanner](https://github.com/sa7mon/S3Scanner) - 扫描开放的 S3 存储桶并转储内容。 * [s3inspector](https://github.com/clario-tech/s3-inspector) - 检查 AWS S3 存储桶权限的工具。 * [lazys3](https://github.com/nahamsec/lazys3) - 使用不同排列组合暴力破解 AWS s3 存储桶的 Ruby 脚本。 参考资料: * [实践 AWS S3 存储桶漏洞](https://blog.securelayer7.net/hands-on-aws-s3-bucket-vulnerabilities/) ## 参考资料 * [S3 存储桶服务 AWS 渗透测试基础](https://blog.securelayer7.net/aws-penetration-testing-for-s3-bucket-service-basics-security/) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://gitbook.cdxiaodong.life/yun-an-quan/aws/s3.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.