CLOUD RESOURCES

Cloud Resources & Misconfigurations

Purpose

Identify cloud-hosted resources (e.g., S3 buckets, Azure blobs, GCP storage) that are misconfigured or unintentionally exposed. These often reveal sensitive data or access mechanisms if administrators have skipped proper permissions setup.

Identifying Cloud Resources

Step 1: Subdomain/IP Lookup

Misconfigured storage may resolve to provider-owned domains.

Command:

for i in $(cat subdomainlist); do host $i | grep "has address" | grep <website>.com | cut -d" " -f1,4; done

Replace “website” with the target website.

*.s3.website.com
*.blob.core.website.net
*.storage.website.com

This is what the results may look like after using the command provided above.

Passive Discovery Tools & Tactics

Google Dorks

Use advanced queries to find indexed cloud resources and files.

Examples:

site:s3.website.com inurl:website
site:blob.core.website.net intext:"confidential"
inurl:"website" filetype:pdf

Replace “website” with the target website.

Third-Party OSINT Sources

• domain.glass – shows domains/subdomains and security status (e.g., Cloudflare protection).

• GrayHatWarfare – searchable DB of open AWS/Azure/GCP buckets.

GrayHatWarfare Tip: Filter by file type to find documents, backups, private keys (*.pem, *.key), etc.

Naming Convention Clues

• Companies often use internal abbreviations in infrastructure (e.g., ilf-assets, if-s3-backups).

• Brute-force or fuzz storage names with common patterns.

Examples:

website-backups
ilf-dev-static
website-archive

Common Cloud Data Risks

• Exposed credentials (API keys, secrets, .env, .pem)

• Downloadable SSH private keys

• Public documents (contracts, HR data)

• Misconfigured bucket permissions (read/list/write)

What to Record

• Cloud service used

• Domain/subdomain or endpoint

• Type of data exposed

• Associated risks (privilege escalation, lateral movement)

• Security measures in place (e.g., Cloudflare)**