CloudSpecter is a multi-cloud bucket reconnaissance and permission testing tool for AWS S3, Google Cloud Storage, and Azure Blob Storage. It detects publicly accessible or misconfigured buckets/containers by safely testing read and write permissions, making it ideal for red team operations and cloud security assessments.
-
AWS public bucket
./cloudspector.sh aws cisrc -
AWS private bucket (with credentials configured)
./cloudspector.sh aws my-private-bucket -
GCP public bucket
./cloudspector.sh gcp my-public-gcs-bucket -
GCP private bucket
./cloudspector.sh gcp my-private-gcs-bucket -
Azure blob container
./cloudspector.sh azure mycontainer mystorageaccount
High Severity Finding Output:
Critical Severity Finding Output:
[*] Checking AWS S3 bucket: cisrc
[*] Bucket is readable
[*] Bucket is WRITABLE
Severity Rating: CRITICAL (anonymous write)
[*] Checking GCP GCS bucket: public-bucket
[*] Bucket is readable
[!] Bucket is NOT writable
Severity Rating: HIGH (anonymous read)
[*] Checking Azure Blob container: mycontainer
[*] Container is readable
[!] Container is NOT writable (Azure requires auth)
Severity Rating: LOW (authenticated read)
| Scenario | Severity |
|---|---|
| Readable + Writable (anonymous/public) | CRITICAL |
| Readable only (anonymous/public) | HIGH |
| Readable + Writable (authenticated only) | MEDIUM |
| Readable only (authenticated) | LOW |
| Not readable | INFO / NONE |
- CRITICAL: Any bucket/container that allows anonymous write is misconfigured and dangerous.
- HIGH: Public read-only buckets are sensitive (data exposure).
- MEDIUM/LOW: Authenticated access; you can write/read only with credentials.
- INFO/NONE: Private bucket; script cannot read it.
| Provider | Read Test | Write Test | Anonymous Write |
|---|---|---|---|
| AWS | ✅ | ✅ | ✅ |
| GCP | ✅ | ✅ | ✅ |
| Azure | ✅ | ✅ | ❌ (platform limitation) |