HashiConf 2024 Now streaming live from Boston! Attend for free
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

scan aws-s3

Beta feature

This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.

Note

You must have version 0.5.0 or higher of the Vault Radar CLI installed.

To check the current version of your CLI, use the version command.

The scan aws-s3 command is used for scanning an Amazon S3 bucket.

Authentication

The scan aws-s3 comand needs permissions to list and get the objects in the bucket, see this simplified policy document below. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": "*"
        }
    ]
}

The Resource in the policy can be limited to the buckets that one wants to scan.

See AWS Authentication for more information on how to authenticate with AWS.

Usage

Usage: vault-radar scan aws-s3 [options]

Scan all objects in a bucket

To scan all objects within a bucket and write the results to a CSV file (default format).

$ vault-radar scan aws-s3 --bucket <BUCKET NAME> -r <REGION CODE> \
    -o <PATH TO OUTPUT>.csv

Scan all objects in a bucket and output in JSON

To scan all objects within a bucket and write the results in JSON Lines format.

$ vault-radar scan aws-s3 --bucket <BUCKET NAME> -r <REGION CODE> \
    -o <PATH TO OUTPUT>.jsonl \
    -f json

Scan all objects in a bucket with prefix

To scan all objects within a bucket beginning with a prefix.

$ vault-radar scan aws-s3 --bucket <BUCKET NAME> -r <REGION CODE> \
    --prefix <PREFIX> \
    -o <PATH TO OUTPUT>.jsonl \
    -f json

Scanning using a baseline file

Perform a scan using a previous scan's result and write the new changes to an outfile. With -b option, only new risks, risks that were not found in the previous scan will be reported. 

$ vault-radar scan aws-s3 --bucket <BUCKET NAME> -r <REGION CODE> \
    -b <PATH TO BASELINE>.csv \
    -o <PATH TO OUTPUT>.csv

Note: it is expected that previous and current scans are "similar", e.g. both either latest version or history scans and same output format

Scanning using a Vault index file

Perform a scan using a generated vault index and write the results to an outfile. In this mode, if a risk was previously found in Vault, the scan results will report the location in Vault as well.

$ vault-radar scan aws-s3 --bucket <BUCKET NAME> -r <REGION CODE> \
    -o <PATH TO OUTPUT>.csv \
    --index-file <PATH TO VAULT INDEX>.jsonl

How to generate a Vault Index

HCP connection scanning behavior

The default behavior of scan commands is to require an HCP cloud connection to scan. This is to ensure that hashes are generated using a shared salt from the cloud keeping consistency across scans. In order to populate the HCP connection information needed, refer to the HCP upload page.

To allow for scanning to continue working without the need for HCP cloud connection you can use the new --offline flag as such.

$ vault-radar scan aws-s3 --offline -r <REGION CODE> \
    --bucket <BUCKET NAME> \
    -o <PATH TO OUTPUT>.csv

Scan and restrict the number of secrets found

To stop scanning when the defined number of secrets are found.

$ vault-radar scan aws-s3 --bucket <BUCKET NAME> -r <REGION CODE> \
    -o <PATH TO OUTPUT>.csv \
    -l <NUM OF SECRETS>

Scan and restrict the number of objects scanned

To stop scanning when the defined number of objects are scanned.

$ vault-radar scan aws-s3 --bucket <BUCKET NAME> -r <REGION CODE> \
    -o <PATH TO OUTPUT>.csv \
    --object-limit <NUM OF OBJECTS>