Finding unsecured S3 buckets using Passive DNS

There was a post on Hacker News yesterday about a tool called bucket-stream that looks at certificate transparency logs and uses them to find corresponding Amazon S3 bucket names.

One of the pieces of advice on the github repo is:

Randomise your bucket names! There is no need to use company-backup.s3.amazonaws.com.

But this actually wouldn't keep your buckets private (as matt_wulfeck pointed out in the HN comments) because DNS resolution is essentially public.

Passive DNS means looking at the results of DNS queries performed by others, rather than performing the queries yourself. Lots of networks and DNS resolvers send off the results of DNS queries that they process to a centralised database, which can then be searched by anybody subscribing to the database. Although most of the data is not publicly available, it is available to lots of organisations, and a small sample is available from VirusTotal, e.g. "Observed subdomains" on https://www.virustotal.com/en/domain/s3-us-west-2.amazonaws.com/information/ shows 100 examples of subdomains.

(There unfortunately isn't yet a Wikipedia article on passive DNS, but this article is quite good, as are these slides).

100 subdomains is good enough for a proof of concept. If we then multiply that by the number of AWS regions, and come back periodically to look for new subdomains, it might even be good enough for an active attack.

I queried the list of 100 subdomains for s3-us-west-2.amazonaws.com and found that 24 of the buckets were publicly readable. I didn't look at any of the contents, but based on the filenames most of them are intended to be public so I don't think there's a serious leak here.

But the moral of the story is that you should put actual authentication on your S3 buckets (indeed, on anything you don't want public!) and don't just rely on DNS to keep it private, because DNS is not private.