Cloud storage scan
Discovers cloud storage containers you (or a vendor) own, then probes each for public exposure. Works across:
- AWS S3
- Azure Blob Storage
- Google Cloud Storage
- DigitalOcean Spaces, Linode Object Storage, Wasabi (S3-compatible)
How discovery works
Given a domain, Pentestas generates likely bucket names:
- Company name + common suffixes (
acme,acme-prod,acme-staging,acme-uploads,acme-backups,acme-media,acme-logs, β¦) - Expansions against every verified domain variant
- Observed bucket names from the web-scan's crawl (URLs that reference
s3.amazonaws.com/acme-media/β¦etc.)
Each candidate is probed via unauthenticated HEAD request. Providers distinguish "bucket doesn't exist" from "bucket exists but access denied", so discovery is reliable without credentials.
What it flags
- Public bucket β unauthenticated
ListObjectsworks. CRITICAL if the bucket contains production data. - Publicly-readable object β bucket ACL denies listing but a known URL returns content. HIGH.
- Writable bucket β unauthenticated PUT succeeds. CRITICAL β supply-chain implant vector.
- Directory listing enabled β MEDIUM.
- Missing encryption at rest β LOW.
- Missing versioning β LOW.
Usage
UI
New scan β Cloud. Enter a domain. Pentestas runs bucket enumeration automatically.
API
bash
curl -X POST https://app.pentestas.com/api/scans \
-H "X-API-Key: aa_..." \
-d '{"target_url":"https://example.com","scan_types":["cloud"]}'
Anonymous (Free-tier) bucket lookup
A lightweight variant (no sign-in required) is available at:
bash
curl https://app.pentestas.com/api/public/cloudscan?domain=example.com
Returns a public-bucket list + minimal metadata. Rate-limited at 30/hour per IP.
Guided-response actions
Each finding comes with provider-specific remediation:
- AWS β exact IAM JSON to add a deny-public statement to the bucket policy.
- Azure β Azure CLI commands to flip
--public-access off. - GCS β
gsutil iam chcommand to removeallUsers/allAuthenticatedUsers.
See also
- Azure subscription scan β deeper audit when you control the AWS/Azure/GCP account.
- Subdomain enumeration β bucket names often fall out of subdomain data.