Enumeración

Durante el inicio de unas pruebas post-autenticadas, es ideal ejecutar los siguientes comandos para recopilar información sobre la infraestructura relacionada al servicio de S3.

Comandos útiles

Listar todos los Buckets de la cuenta

aws s3 ls

Listado de objetos de un Bucket específico

aws s3 ls s3://bucket-name

Enumera Todos los objetos de un Bucket incluyendo contenido de las carpetas existentes.

aws s3 ls s3://mybucket --recursive

Descarga archivos

aws s3 cp s3://mybucket/test.txt test2.

Subida de archivos

aws s3 cp ./test.txt s3://mybucket/test2.txt

Copiar archvios de S3 a S3

aws s3 cp s3://mybucket/test.txt s3://otherbucket/test2.txt

Más comandos

# Get buckets ACLs
aws s3api get-bucket-acl --bucket <bucket-name>
aws s3api get-object-acl --bucket <bucket-name> --key flag

# Get policy
aws s3api get-bucket-policy --bucket <bucket-name>
aws s3api get-bucket-policy-status --bucket <bucket-name> #if it's public

# list S3 buckets associated with a profile
aws s3 ls
aws s3api list-buckets

# list content of bucket (no creds)
aws s3 ls s3://bucket-name --no-sign-request
aws s3 ls s3://bucket-name --recursive

# list content of bucket (with creds)
aws s3 ls s3://bucket-name
aws s3api list-objects-v2 --bucket <bucket-name>
aws s3api list-objects --bucket <bucket-name>
aws s3api list-object-versions --bucket <bucket-name>

# copy local folder to S3
aws s3 cp MyFolder s3://bucket-name --recursive

# delete
aws s3 rb s3://bucket-name –-force

# download a whole S3 bucket
aws s3 sync s3://<bucket>/ .

# move S3 bucket to different location
aws s3 sync s3://oldbucket s3://newbucket --source-region us-west-1

# list the sizes of an S3 bucket and its contents
aws s3api list-objects --bucket BUCKETNAME --output json --query "[sum(Contents[].Size), length(Contents[])]"

# Update Bucket policy
aws s3api put-bucket-policy --policy file:///root/policy.json --bucket <bucket-name>
##JSON policy example
{
  "Id": "Policy1568185116930",
  "Version": "2012-10-17",
  "Statement": [
  {
      "Sid": "Stmt1568184932403",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::welcome",
      "Principal": "*"
  },
  {
    "Sid": "Stmt1568185007451",
    "Action": [
      "s3:GetObject"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::welcome/*",
    "Principal": "*"
  }
  ]
}

# Update bucket ACL
aws s3api get-bucket-acl --bucket <bucket-name> # Way 1 to get the ACL
aws s3api put-bucket-acl --bucket <bucket-name> --access-control-policy file://acl.json

aws s3api get-object-acl --bucket <bucekt-name> --key flag #Way 2 to get the ACL
aws s3api put-object-acl --bucket <bucket-name> --key flag --access-control-policy file://objacl.json

##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
  "Owner": {
    "DisplayName": "<DisplayName>",
    "ID": "<ID>"
  },
  "Grants": [
  {
    "Grantee": {
      "Type": "Group",
      "URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
    },
  "Permission": "FULL_CONTROL"
  }
  ]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL

Referencias

ls — AWS CLI 1.27.110 Command Reference

Uso de comandos alto nivel (s3) con la AWS CLI - AWS Command Line InterfaceAWS Command Line Interface

cp — AWS CLI 2.11.11 Command Reference