Security News > 2022 > October > New open-source tool scans public AWS S3 buckets for secrets
A new open-source 'S3crets Scanner' scanner allows researchers and red-teamers to search for 'secrets' mistakenly stored in publicly exposed or company's Amazon AWS S3 storage buckets.
In addition to application data, source code or configuration files in the S3 buckets can also contain 'secrets,' which are authentication keys, access tokens, and API keys.
During an exercise examining SEGA's recent assets exposure, security researcher Eilon Harel discovered that no tools for scanning accidental data leaks exist, so he decided to create his own automated scanner and release it as an open-source tool on GitHub.
When scanning a bucket, the script will examine the content of text files using the Trufflehog3 tool, an improved Go-based version of the secrets scanner that can check for credentials and private keys on GitHub, GitLab, filesystems, and S3 buckets.
Trufflehog3 scans the files downloaded by S3crets using a set of custom rules designed by Harel, which target personally identifiable information exposure and internal access tokens.
Finally, the tool can also be used for white-hat actions, like scanning publicly accessible buckets and notifying the owners of exposed secrets before bad actors find them.