You can use BBOT to enumerate storage buckets. Supported providers are: AWS, Google, Azure, DigitalOcean, and Firebase.
Buckets are discovered from web content and enumerated based on derivatives of discovered DNS names. For example, if your target is and BBOT discovers a subdomain, it will visit the website and extract bucket names from its HTML content. Additionally, it will try each of the following bucket names:
  • www.tesla
  • www-tesla-com
  • www-tesla
  • wwwteslacom
  • wwwtesla
For each bucket found, BBOT will check whether it's open (world-readable) and also whether it's vulnerable to subdomain takeover. Note that buckets discovered with the bucket_* modules are not guaranteed to be owned by the target.
# enumerate buckets for
bbot -t -f subdomain-enum cloud-enum
# single cloud provider + permutations (-dev, -test, etc.)
bbot -t -m bucket_aws -c modules.bucket_aws.permutations=true
A good tool to review your configuration in several clouds is:
More info: