*5.3. Results of ChaosXploit's Execution of Branch 1: Exploitation of Public Buckets* 5.3.1. Description

The reason for this experiment is that data can be stored on Amazon S3 and safeguarded from illegal access using encryption techniques and access management software. However, the shared responsibility model of cloud services has caused security configuration errors by the designers of this sort of storage. Exposing the data to the public endangers its availability, confidentiality, and integrity.

Based on the goal of the attack tree (Extract or modify Information), it is possible to define this first experiment following the CE method as follows:


Below is a description of how the first branch of the attack tree specified for this scenario was implemented and **executed**. First, by taking regular expressions into account, public buckets were discovered using enumeration approaches. Since Amazon S3 has established some specifications for the bucket names, it is quite simple for an attacker to compile a list of them. Then, boto3, the AWS SDK for Python, was used to carry out the connection check. This stage allowed us to clean up the buckets, removing any that were empty or had incorrect names. Then, ChaosXploit looks at the buckets to see if their objects can be read, and lastly, it checks to see if any buckets provide access to the ACLs.

As shown in Table 3, three monitored variables were considered: (i) **Object-Collectable-Buckets**, which are the buckets that have public files such as pictures, documents, executable files, among others, which may be gathered through the experiment, (ii) **ACL-Collectable-Buckets** which refers to those buckets that have public ACLs, and can be accessed by anyone, and (iii) the **Permissions** obtained from the ACLs.


**Table 3.** Monitored variables and input parameters considered along the execution of branch 1 by ChaosXploit.

Regarding the input values, four were needed to execute the experiment. First, the *domain* is an optional input that should contain the name of the organization to be analyzed. We have considered this option since ChaosXploit can be used as an internal audit tool. Therefore, with this argument, the enumeration of the buckets will be limited to all those that are related to the given domain. In case this input is not provided, ChaosXploit will generate a list of names using brute-force, wordlists, and bucket naming rules defined by AWS. Second, the number of *threads* is considered as an input, so that the process of connecting and reading the buckets' information may be performed in parallel on the different cores, according to the defined thread's value. Third, the *mode* indicates the type of analysis to be performed, whether it aims to find *Object-Collectable-Buckets* or *ACL-Collectable-Buckets*. The last input, *output*, is a file name used to store the results and feed the ChaosXploit continuous validator.
