Cloud storage scan

Discovers cloud storage containers you (or a vendor) own, then probes each for public exposure. Works across:

AWS S3
Azure Blob Storage
Google Cloud Storage
DigitalOcean Spaces, Linode Object Storage, Wasabi (S3-compatible)

How discovery works

Given a domain, Pentestas generates likely bucket names:

Company name + common suffixes (acme, acme-prod, acme-staging, acme-uploads, acme-backups, acme-media, acme-logs, …)
Expansions against every verified domain variant
Observed bucket names from the web-scan's crawl (URLs that reference s3.amazonaws.com/acme-media/… etc.)

Each candidate is probed via unauthenticated HEAD request. Providers distinguish "bucket doesn't exist" from "bucket exists but access denied", so discovery is reliable without credentials.

What it flags

Public bucket — unauthenticated ListObjects works. CRITICAL if the bucket contains production data.
Publicly-readable object — bucket ACL denies listing but a known URL returns content. HIGH.
Writable bucket — unauthenticated PUT succeeds. CRITICAL — supply-chain implant vector.
Directory listing enabled — MEDIUM.
Missing encryption at rest — LOW.
Missing versioning — LOW.

Usage

UI

New scan → Cloud. Enter a domain. Pentestas runs bucket enumeration automatically.

API

bash

curl -X POST https://app.pentestas.com/api/scans \
  -H "X-API-Key: aa_..." \
  -d '{"target_url":"https://example.com","scan_types":["cloud"]}'

Anonymous (Free-tier) bucket lookup

A lightweight variant (no sign-in required) is available at:

bash

curl https://app.pentestas.com/api/public/cloudscan?domain=example.com

Returns a public-bucket list + minimal metadata. Rate-limited at 30/hour per IP.

Guided-response actions

Each finding comes with provider-specific remediation:

AWS — exact IAM JSON to add a deny-public statement to the bucket policy.
Azure — Azure CLI commands to flip --public-access off.
GCS — gsutil iam ch command to remove allUsers / allAuthenticatedUsers.