AWS S3

aws s3 edition enterprise + open source the aws s3 integration scans objects in s3 buckets for credentials and other sensitive data prerequisites requirement detail aws account at least one s3 bucket to scan iam identity an iam user, role, or instance profile with permission to list buckets and download objects see the example iam policy below configuration the aws s3 integration can be configured in trufflehog under integrations , or via a local configuration file (below) web configuration configure this integration from the integrations page in trufflehog you'll need an aws access key and secret for an iam identity with read access to the buckets you want to scan local configuration local configuration supports four authentication modes iam credentials — uses credentials from the standard aws credential chain works with iam users, roles, or instance profiles iam role assumption — uses a base iam identity to assume one or more roles, typically across aws accounts most secure option for multi account scanning iam role assumption with instance profile — same as role assumption, but the assuming identity is the ec2 instance profile of the scanner host static credentials — embeds an access key and secret directly in the config useful for testing; not recommended for production, since credentials are stored in plaintext iam credentials use this when aws credentials are available in one of the standard locations (environment variables, / aws/credentials, or instance metadata) compatible with iam users, roles, and instance profiles sources \ connection "@type" type googleapis com/sources s3 cloudenvironment {} name s3 scanperiod 12h type source type s3 verify true iam role assumption use this to scan buckets across multiple aws accounts from a single scanner instance a common pattern is to run the trufflehog scanner in an administrative or security account with permission to assume iam roles in target accounts that contain the buckets you want to scan passing a role arn without specifying buckets scans every bucket the role can list multiple roles can be specified if buckets are also supplied, each role attempts to scan each bucket sources \ connection "@type" type googleapis com/sources s3 roles \ rolearn 1 \ rolearn 2 sessiontoken {} name s3 scanperiod 12h type source type s3 verify true iam role assumption with instance profile same as iam role assumption, but the assuming identity is the ec2 instance profile of the scanner host this configuration does not use the sessiontoken field sources \ connection "@type" type googleapis com/sources s3 roles \ rolearn 1 \ rolearn 2 name s3 scanperiod 12h type source type s3 verify true static credentials embeds an access key and secret directly in the config useful for testing — not recommended in production compatible with iam users only sources \ connection "@type" type googleapis com/sources s3 accesskey key akiakeyid secret xxxxxxxxxxxxxxxxxxxxxxxxxx buckets \ bucket one \ bucket two name s3 scanperiod 12h type source type s3 verify true example iam policy the iam identity used to access s3 needs the following permissions, attached either directly (for iam credentials) or to the role being assumed (for role assumption modes) { "version" "2012 10 17", "statement" \[ { "effect" "allow", "action" \[ "s3\ getbucketlocation", "s3\ listallmybuckets", "s3\ listbucket", "s3\ getobject" ], "resource" " " } ] } for role assumption, the target role also needs a trust policy allowing the scanner's iam identity to assume it { "version" "2012 10 17", "statement" \[ { "effect" "allow", "principal" { "aws" "arn\ aws\ iam 123456789012\ user/bob" }, "action" "sts\ assumerole" } ] } for more on iam roles, usage scenarios, and trust policies, see the aws iam documentation for more granular s3 access control, see the aws s3 policy examples configuration options field type required description buckets list no explicit list of buckets to scan omit to scan all buckets the identity can list ignorebuckets list no buckets to skip during scanning maxobjectsize integer no maximum object size in bytes objects larger than this are skipped roles list no list of role arns to assume required for role assumption modes capabilities feature supported scan archive files ✅ scan attachments ✅ scan base64 encoded data ✅ scan binaries ✅ include / exclude filters ✅ history ✅ versions ✅ progress info ✅ auto resume ✅ notes objects in s3 glacier cold storage are not scanned