Bucket Stream: Finding S3 Buckets by watching certificate transparency logs

[tptacek]

Ignore any direct connection between S3 buckets themselves and particular certificates, and just think of the stream of domain names you get from CT as the seed for a dictionary to grind against S3.

[mynewtb]

But why do we get those domain names if there (supposedly) is an existing wildcard certificate?

[simcop2387]

To put the s3 bucket under another domain. Such as static.example.com instead of abcdef01123451523245.s3.amazon.com (or whatever it is).