__ _______________________ _________._________________________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

cloud_enum Cheatsheet

← Back to cheatsheets

← Home

cloud_enum is a multi-cloud OSINT tool for enumerating public resources in AWS, Azure, and GCP. It discovers storage buckets, apps, databases, and other cloud services based on keyword mutations.

Basic Usage

  • cloud_enum -k <keyword> - Enumerate using keyword
  • python3 cloud_enum.py -k <keyword> - Run with Python

Options

  • -k, --keyword - Base keyword for enumeration
  • -kf, --keyfile - File with keywords (one per line)
  • -m, --mutations - Mutations file for keyword variations
  • -b, --brute - Brute force with mutations file
  • -t, --threads - Threads for brute forcing (default 5)
  • -ns, --nameserver - Custom DNS server
  • -l, --logfile - Log output to file
  • -f, --format - Output format (json, csv)
  • --disable-aws - Disable AWS checks
  • --disable-azure - Disable Azure checks
  • --disable-gcp - Disable GCP checks
  • -qs, --quickscan - Quick scan (no mutations)

What It Finds

AWS

  • S3 Buckets
  • Open S3 Buckets
  • AWS Apps (Elastic Beanstalk)

Azure

  • Storage Accounts (Blob, File, Queue, Table)
  • Azure Websites/Apps
  • Azure Databases
  • Azure VMs
  • Azure Container Registries

GCP

  • GCP Buckets
  • Open GCP Buckets
  • GCP App Engine apps
  • Firebase databases
  • Cloud Functions

Common Examples

Basic Enumeration

cloud_enum -k companyname

Enumerate resources for company.

Multiple Keywords

cloud_enum -kf keywords.txt

Use multiple keywords from file.

With Mutations

cloud_enum -k companyname -m mutations.txt -b

Brute force with keyword mutations.

Quick Scan

cloud_enum -k companyname -qs

Fast scan without mutations.

AWS Only

cloud_enum -k companyname --disable-azure --disable-gcp

Check only AWS resources.

Azure Only

cloud_enum -k companyname --disable-aws --disable-gcp

Check only Azure resources.

Save Output

cloud_enum -k companyname -l results.txt

Log results to file.

JSON Output

cloud_enum -k companyname -f json -l results.json

Save as JSON.

More Threads

cloud_enum -k companyname -b -t 10

Faster brute forcing.

Mutations

Mutations generate variations of your keyword:

# Example mutations file
-dev
-prod
-staging
-backup
-test
-internal
.dev
.prod
_backup

These get appended/prepended to the keyword.

Installation

git clone https://github.com/initstring/cloud_enum.git
cd cloud_enum
pip3 install -r requirements.txt
python3 cloud_enum.py -k test

Tips

  • Use company name, product names, project names as keywords
  • Check variations: companyname, company-name, companynameinc
  • Open buckets are high-value findings
  • Combine with manual checks for access permissions
  • Use mutations for thorough enumeration
  • Check for sensitive file exposure in found buckets
  • Great for OSINT and attack surface mapping
  • Always get authorization before testing access

← Back to cheatsheets

← Home