Overview
cloud_enum is a multi-cloud OSINT enumeration tool designed to find exposed resources across major cloud providers including AWS, Azure, and Google Cloud Platform (GCP). It enumerates cloud storage buckets, static websites, databases, and other public resources that may have been misconfigured. This tool is essential for security researchers, penetration testers, and bug bounty hunters assessing cloud infrastructure exposure.
Installation
Prerequisites
# Python 3.6+ required
python3 --version
# Required dependencies
pip3 install -r requirements.txt
From GitHub
# Clone the repository
git clone https://github.com/initstring/cloud_enum.git
cd cloud_enum
# Install dependencies
pip3 install -r requirements.txt
# Make executable
chmod +x cloud_enum.py
# Verify installation
python3 cloud_enum.py --help
From Package Manager
# Using pip
pip3 install cloud-enum
# Or clone and install
git clone https://github.com/initstring/cloud_enum
cd cloud_enum
pip3 install .
Basic Usage
| Command | Description |
|---|
python3 cloud_enum.py -k company | Enumerate based on keyword “company” |
python3 cloud_enum.py -k target -b 50 | Use 50 brute-force threads |
python3 cloud_enum.py -k target --disable-aws | Enumerate excluding AWS |
python3 cloud_enum.py -k target -o results.txt | Save results to file |
python3 cloud_enum.py -k target -l /path/to/wordlist.txt | Use custom wordlist |
Core Enumeration Options
Keyword-Based Enumeration
# Basic enumeration with single keyword
python3 cloud_enum.py -k companyname
# Enumeration with multiple keywords
for keyword in company subsidiary division product; do
python3 cloud_enum.py -k $keyword
done
# Long-running enumeration
python3 cloud_enum.py -k target --threads 100 2>&1 | tee enumeration.log
Thread Control
# Increase threads for faster enumeration (default: 5)
python3 cloud_enum.py -k target -b 50
# Reduce threads for stealth
python3 cloud_enum.py -k target -b 5
# Custom thread configuration
python3 cloud_enum.py -k target --threads 25
AWS Enumeration
S3 Bucket Discovery
# Enumerate AWS S3 buckets
python3 cloud_enum.py -k company --enable-aws
# Check specific S3 bucket patterns
python3 cloud_enum.py -k target
# Results may include: target-bucket, target-data, target-backups
# Verify S3 bucket access
aws s3 ls s3://discovered-bucket/
aws s3api head-bucket --bucket discovered-bucket
AWS Resource Detection
# Enumerate EC2 instances
python3 cloud_enum.py -k target | grep "ec2"
# Look for CloudFront distributions
python3 cloud_enum.py -k target | grep "cloudfront"
# Check for RDS instances
python3 cloud_enum.py -k target | grep "rds"
Azure Enumeration
Blob Storage Discovery
# Enumerate Azure blob storage accounts
python3 cloud_enum.py -k company --enable-azure
# Common Azure patterns found:
# company.blob.core.windows.net
# companydata-blob.core.windows.net
# company-backup.blob.core.windows.net
# Test Azure blob access
curl https://company.blob.core.windows.net/
Azure Subdomain Enumeration
# Check for additional Azure resources
python3 cloud_enum.py -k target | grep "azure"
# Look for Azure App Services
python3 cloud_enum.py -k target | grep "azurewebsites"
# Check for Azure Storage Tables
python3 cloud_enum.py -k target | grep "table.core.windows.net"
GCS Bucket Discovery
# Enumerate Google Cloud Storage buckets
python3 cloud_enum.py -k company --enable-gcp
# Common GCS patterns:
# company-storage
# company-backups
# company-data
# company-logs
# Test GCS bucket access
gsutil ls gs://discovered-bucket/
gsutil ls -L gs://discovered-bucket/
GCP Resource Detection
# Enumerate Firebase instances
python3 cloud_enum.py -k target | grep "firebase"
# Look for Cloud Functions
python3 cloud_enum.py -k target | grep "cloudfunctions"
# Check for Cloud Run services
python3 cloud_enum.py -k target | grep "run.app"
Wordlist Customization
Using Custom Wordlists
# Specify custom wordlist
python3 cloud_enum.py -k target -l custom_words.txt
# Create wordlist from company info
echo "company" > wordlist.txt
echo "companyx" >> wordlist.txt
echo "company-dev" >> wordlist.txt
echo "company-prod" >> wordlist.txt
# Use extended wordlist
python3 cloud_enum.py -k target -l wordlist.txt
Wordlist Generation
# Generate from domain registrations
cat domains.txt | sed 's/\.com//' > base_names.txt
# Add common suffixes
for name in $(cat base_names.txt); do
echo "$name"
echo "$name-dev"
echo "$name-prod"
echo "$name-data"
echo "$name-backup"
done > expanded_list.txt
# Use expanded list
python3 cloud_enum.py -k target -l expanded_list.txt
Output and Reporting
Save Results to File
# Basic output to file
python3 cloud_enum.py -k target -o results.txt
# Verbose output with logging
python3 cloud_enum.py -k target -v -o detailed_results.txt 2>&1
# Append to existing results
python3 cloud_enum.py -k newkeyword >> results.txt 2>&1
Parse and Analyze Results
# Extract found resources
grep "Found" results.txt
# Filter by cloud provider
grep "amazon" results.txt
grep "microsoft" results.txt
grep "google" results.txt
# Count findings by type
grep -o "S3\|Blob\|GCS" results.txt | sort | uniq -c
Selective Cloud Provider Enumeration
| Option | Description |
|---|
--enable-aws | Enable AWS enumeration |
--enable-azure | Enable Azure enumeration |
--enable-gcp | Enable Google Cloud enumeration |
--disable-aws | Disable AWS enumeration |
--disable-azure | Disable Azure enumeration |
--disable-gcp | Disable GCP enumeration |
Targeted Enumeration
# Only AWS enumeration
python3 cloud_enum.py -k target --enable-aws --disable-azure --disable-gcp
# Only Azure enumeration
python3 cloud_enum.py -k target --enable-azure --disable-aws --disable-gcp
# Only GCP enumeration
python3 cloud_enum.py -k target --enable-gcp --disable-aws --disable-azure
Combining with nslookup
# Verify discovered resources via DNS
while read resource; do
nslookup "$resource" 2>/dev/null | grep -i "address"
done < results.txt
Piping to curl
# Test HTTP access to discovered resources
grep "cloudfront\|azurewebsites" results.txt | while read url; do
curl -I "https://$url" 2>/dev/null | head -n 1
done
# Combine with httpx for live checking
python3 cloud_enum.py -k target -o cloud_resources.txt
cat cloud_resources.txt | httpx -o live_cloud_resources.txt
# Combine with nuclei for vulnerability scanning
python3 cloud_enum.py -k target -o resources.txt
nuclei -l resources.txt -t cloud_misconfiguration
Advanced Techniques
Multi-Keyword Enumeration
# Batch enumeration with multiple keywords
cat keywords.txt | while read keyword; do
python3 cloud_enum.py -k "$keyword" -o "results_$keyword.txt"
echo "Completed: $keyword"
done
# Merge all results
cat results_*.txt > combined_results.txt
Stealth Enumeration
# Low-frequency enumeration
python3 cloud_enum.py -k target -b 2
# Distributed across time
for i in {1..10}; do
python3 cloud_enum.py -k "target$i" -b 5
sleep 300 # Wait 5 minutes between scans
done
Continuous Monitoring
# Schedule regular enumeration
0 0 * * * cd /path/to/cloud_enum && python3 cloud_enum.py -k company -o results_$(date +\%Y\%m\%d).txt
# Compare daily results
diff results_20260430.txt results_20260501.txt
Verification and Validation
Verify Findings
# Test S3 bucket access
aws s3 ls s3://bucket-name/
aws s3api get-bucket-acl --bucket bucket-name
# Test Azure blob access
curl -I "https://account.blob.core.windows.net/container"
# Test GCS bucket access
gsutil ls gs://bucket-name/
gsutil acl ch -u AllUsers:R gs://bucket-name/
Validate Results
# Check for false positives
for resource in $(cat results.txt | grep "Found"); do
echo "Testing: $resource"
curl -I "$resource" 2>/dev/null | head -n 1
done
Troubleshooting
Common Issues
| Issue | Solution |
|---|
| No results found | Verify keyword is relevant; try variations |
| Slow enumeration | Increase threads with -b flag |
| Connection errors | Check internet connection; verify firewall |
| Rate limited | Reduce thread count; add delays |
Debugging
# Enable verbose output
python3 cloud_enum.py -k target -v
# Check Python version
python3 --version
# Verify dependencies
pip3 list | grep -E "boto3|azure|google"
# Test cloud connectivity
ping s3.amazonaws.com
ping blob.core.windows.net
ping storage.googleapis.com
Security Considerations
Responsible Disclosure
# Document findings carefully
python3 cloud_enum.py -k target -o findings.txt
# Review before sharing
cat findings.txt
# Calculate impact assessment
grep -c "Found" findings.txt
Legal Compliance
# Ensure authorization before enumeration
# Document scope and approval
# Follow bug bounty program guidelines
# Report findings responsibly
References
# Official documentation
# https://github.com/initstring/cloud_enum
# View help menu
python3 cloud_enum.py --help
# Check for updates
cd cloud_enum && git pull origin main
