In the news everyday are stories of companies leaking data through exposed S3 buckets.
One thing I noticed is that a lot of leaks are found using common S3 bucket names, so I had an epiphany in the shower one day and I invented Defensive S3 Bucket Squatting where you preregister and secure the most common S3 bucket names so that no one else can use them. This obviously wont stop your company from still having miss-configured S3 buckets but it should make it harder for bad actors to find them and exploit them.
This script creates and secures the most common S3 bucket names to stop them from being used by anyone in an attempt to make finding unsecured buckets harder.
chmod +x defensives3.sh./defensives3.sh companyname
This will create about 80 buckets using the names in buckets.txt.
- Submit a ticket to have your S3 Bucket Limit increased to 750
- Uncomment
#for extension in $(cat 150buckets.txt); do - Comment out
#for extension in $(catbuckets.txt); do chmod +x defensives3.sh./defensives3.sh companyname
This will create about 600 buckets using the names in 150buckets.txt.
chmod +x deldefensives3.sh./deldefensives3.sh companyname
This will delete all buckets that where created by this script.
- I likely don't know what I am doing and this could be done faster, better and simpler some other way.
- These scripts could also break your cloud and make you cry.
- There are minimal costs for having empty S3 buckets in your account. My best guess is under $5 a month.