AWS S3

open source feature this feature is available in both trufflehog open source and trufflehog enterprise! aws simple storage service (s3) is a cloud based object storage service that trufflehog can scan for credentials in aws, access to an s3 bucket can be controlled through various iam (identity and access management) identities these include iam users, which are individual entities with specific permissions; iam roles, which are sets of permissions that can be assumed by any authorized entity, such as an aws service or an external user, and instance profiles, which are special purpose iam roles that are assumed by ec2 instances trufflehog supports any of these identities for access, although each will require specific configuration within trufflehog as well as your aws account to successfully configure an s3 source, you need at minimum an aws account with at least one s3 bucket to be scanned an iam identity that has the correct access and authorization to list the bucket and download objects from it configuration options web configuration you can configure this integration via the web ui through the integrations tab or you can use a local configuration file as outlined below local configuration there are four different authentication options for aws s3 iam credentials iam role assumptions iam role assumption with instance profile static credentials iam credentials this configuration assumes that valid aws credentials are available in one of the standard locations this can be used with iam users, roles, or instance profiles iam credentials sources \ connection '@type' type googleapis com/sources s3 cloudenvironment {} name s3 scanperiod 12h type source type s3 verify true example iam policy { 	"version" "2012 10 17", 	"statement" \[ 	 { 	 "effect" "allow", 	 "action" \[ 	 "s3\ getbucketlocation", 	 "s3\ listallmybuckets", 	 "s3\ listbucket", 	 "s3\ getobject" 	 ], 	 "resource" " " 	 } 	] } this is the basic iam policy that needs to be attached to the iam identity being used to access the s3 bucket aws also provides additional policy examples for more granular access control over s3 iam role assumption iam role assumption sources \ connection '@type' type googleapis com/sources s3 roles \ rolearn 1 \ rolearn 2 sessiontoken {} name s3 scanperiod 12h type source type s3 verify true this is generally the most secure option, and can be used to enable a single scanner instance to scan multiple buckets across different aws accounts a common implementation pattern is to have the trufflehog scanner in an administrative/security account, with a permissions policy attached that only permits the iam identity (user, role, or instance profile) to assume iam roles in accounts that contain s3 buckets that are the desired scanning targets the iam roles in those accounts should be assigned permissions policies similar to this example example iam policy { 	"version" "2012 10 17", 	"statement" \[ 	 { 	 "effect" "allow", 	 "action" \[ 	 "s3\ getbucketlocation", 	 "s3\ listallmybuckets", 	 "s3\ listbucket", 	 "s3\ getobject" 	 ], 	 "resource" " " 	 } 	] } iam roles can be assumed by an iam entity, such as a user or role, that is an allowed principal in an iam trust policy attached to the role please refer to aws documentation for additional information on iam roles, usage scenarios, and configuration example trust policy { "version" "2012 10 17", "statement" \[ { "effect" "allow", "principal" { 	 "aws" "arn\ aws\ iam 123456789012\ user/bob" 	}, "action" "sts\ assumerole" } ] } passing in a role arn without specifying a bucket will result in all buckets that the role can list being scanned multiple roles can be specified as individual arguments if a bucket or buckets are supplied in addition to multiple roles, a scan will be attempted against each bucket by each role iam role assumption with instance profile using an instance profile to perform role assumption is similar to the configuration for iam role assumption in the previous section note that this configuration does not use the sessiontoken field iam role assumption with instance profile sources \ connection '@type' type googleapis com/sources s3 roles \ rolearn 1 \ rolearn 2 name s3 scanperiod 12h type source type s3 verify true static credentials while this configuration can be useful for testing, we generally don’t recommend this in a production environment, as the credentials will be exposed in plaintext this configuration is compatible with iam users and static credentials static credentials sources \ connection '@type' type googleapis com/sources s3 accesskey key akiakeyid secret xxxxxxxxxxxxxxxxxxxxxxxxxx buckets \ bucket one \ bucket two name s3 scanperiod 12h type source type s3 verify true options key description required buckets list of names of the s3 buckets to be accessed omitting this will enumerate instead no maxobjectsize maximum object size (in bytes) that can be processed if an object is larger than this value, it will be skipped no roles list of roles associated with the s3 buckets no ignorebuckets list of buckets that should be ignored no capabilities feature supported scan archive files ✅ scan attachments ✅ scan base64 encoded data ✅ scan binaries ✅ exclude filter ✅ history ✅ include filter ✅ progress info ✅ auto resume ✅ versions ✅ scan glacier cold storage ❌