The Definitive Cloud OSINT Resource - Uncover the Unseen

_{Curated collection of OSINT resources for cloud infrastructure reconnaissance.
Includes dorks, tools, techniques, and methodologies for AWS, Azure, GCP, Oracle Cloud, IBM Cloud, and more.
Built for security professionals, red teamers, bug bounty hunters, and cloud architects.}

If you find this useful, please ⭐ star this repo — it helps others discover it!

---

📖 Contents

• 🗺️ Cloud OSINT Methodology
• ☁️ Cloud Infrastructure Patterns
  • 🔵 Azure Storage
  • 🟠 AWS Regions
  • 🟠 AWS S3 Buckets
  • 🟠 AWS SQS
  • 🔴 GCP Technologies
  • ⚫ IBM Cloud
  • 🟤 Oracle Cloud
  • 📡 Official IP Range Sources
• 🔍 Google Dorks
  • Azure Dorks
  • AWS Dorks
  • Google Cloud Dorks
  • IBM Cloud Dorks
  • Miscellaneous Dorks
• 🌐 Shodan Dorks
  • Filter Reference
  • Azure Queries
  • Amazon Queries
  • Other Cloud Queries
• 🔐 Certificate Transparency
• 📚 Web Cloud OSINT Resources
• 🛠️ Cloud OSINT Tools
  • Multi-Cloud Tools
  • AWS-Specific Tools
  • Azure-Specific Tools
  • GCP-Specific Tools
  • Bucket and Storage Discovery
• 🌍 Domain and Subdomain Identification
• 📝 Dork Generation Tools
• 📦 Additional Resources
• ⚖️ Responsible Use
• 🤝 Contributing

---

🗺️ Cloud OSINT Methodology

Cloud OSINT follows a structured reconnaissance workflow. Use this framework to map resources to your investigation phase.

graph LR
    A[Passive Recon] --> B[Infrastructure Mapping]
    B --> C[Asset Discovery]
    C --> D[Exposure Analysis]
    D --> E[Reporting]

    style A fill:#1a1a2e,stroke:#e94560,color:#fff
    style B fill:#1a1a2e,stroke:#0f3460,color:#fff
    style C fill:#1a1a2e,stroke:#533483,color:#fff
    style D fill:#1a1a2e,stroke:#e94560,color:#fff
    style E fill:#1a1a2e,stroke:#0f3460,color:#fff

Loading

Phase	Techniques	Tools and Resources
🔍 Passive Recon	Google dorks, Shodan queries, DNS lookups, Certificate Transparency	DorkSearch, Shodan, crt.sh, Censys
📡 Infrastructure Mapping	IP range analysis, cloud provider identification, region mapping	AWS ip-ranges.json, Azure IP ranges, BGP lookups
🗂️ Asset Discovery	Bucket enumeration, subdomain discovery, storage scanning	CloudEnum, cloud_enum, S3Scanner, GrayhatWarfare
🔓 Exposure Analysis	Misconfiguration detection, sensitive data search, access testing	S3Browser, BucketLoot, ScoutSuite, Prowler
📊 Reporting	Findings consolidation, evidence collection, risk assessment	Manual analysis + tool outputs

↑ Back to Contents

---

☁️ Cloud Infrastructure Patterns

Understanding cloud URL patterns, regions, and service endpoints is the foundation of Cloud OSINT.

🔵 Azure Storage

Service	URL Pattern
Blob Storage	http://<storageaccount>.blob.core.windows.net
Table Storage	http://<storageaccount>.table.core.windows.net
Queue Storage	http://<storageaccount>.queue.core.windows.net
Azure Files	http://<storageaccount>.file.core.windows.net
Database	http://<storageaccount>.database.windows.net

🟠 AWS Regions

Click to expand full AWS regions list (36 regions)

Region Code	Location
af-south-1	Africa (Cape Town)
ap-east-1	Asia Pacific (Hong Kong)
ap-northeast-1	Asia Pacific (Tokyo)
ap-northeast-2	Asia Pacific (Seoul)
ap-northeast-3	Asia Pacific (Osaka)
ap-south-1	Asia Pacific (Mumbai)
ap-south-2	Asia Pacific (Hyderabad)
ap-southeast-1	Asia Pacific (Singapore)
ap-southeast-2	Asia Pacific (Sydney)
ap-southeast-3	Asia Pacific (Jakarta)
ap-southeast-4	Asia Pacific (Melbourne)
ap-southeast-5	Asia Pacific (Malaysia)
ap-southeast-7	Asia Pacific (Thailand)
ca-central-1	Canada (Central)
ca-west-1	Canada (Calgary)
cn-north-1	China (Beijing)
cn-northwest-1	China (Ningxia)
eu-central-1	Europe (Frankfurt)
eu-central-2	Europe (Zurich)
eu-north-1	Europe (Stockholm)
eu-south-1	Europe (Milan)
eu-south-2	Europe (Spain)
eu-west-1	Europe (Ireland)
eu-west-2	Europe (London)
eu-west-3	Europe (Paris)
il-central-1	Israel (Tel Aviv)
me-central-1	Middle East (UAE)
me-south-1	Middle East (Bahrain)
mx-central-1	Mexico (Central)
sa-east-1	South America (Sao Paulo)
us-east-1	US East (N. Virginia)
us-east-2	US East (Ohio)
us-gov-east-1	AWS GovCloud (US-East)
us-gov-west-1	AWS GovCloud (US-West)
us-west-1	US West (N. California)
us-west-2	US West (Oregon)

🟠 AWS S3 Buckets

Pattern	URL Format
Path style	https://s3.amazonaws.com/[bucketname]
Virtual hosted	https://[bucketname].s3.amazonaws.com
Region specific	https://s3-[region].amazonaws.com/[bucketname]/
Website hosting	https://[bucketname].s3-website-[region].amazonaws.com/

🟠 AWS SQS

https://sqs.[region].amazonaws.com

🔴 GCP Technologies

• GCP Technologies Cheatsheet - Visual overview of all Google Cloud services and their relationships.
• GCP Regions and Zones - Complete list of GCP datacenter locations worldwide.

⚫ IBM Cloud

• IBM Global Cloud Data Centers - Map and list of all IBM Cloud datacenter locations.
• IBM Cloud IP Ranges - Official IP address ranges for IBM Cloud infrastructure.

🟤 Oracle Cloud

• Oracle Cloud Regions - All Oracle Cloud Infrastructure (OCI) region locations.
• Oracle Cloud IP Ranges - Official OCI IP address ranges documentation.

📡 Official IP Range Sources

Direct links to query cloud provider IP ranges programmatically.

Provider	Source	Quick Query
AWS	ip-ranges.json	curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq '.prefixes[]'
Azure	ServiceTags	Download weekly JSON from Microsoft Download Center
GCP	cloud.json	curl -s https://www.gstatic.com/ipranges/cloud.json | jq '.prefixes[]'
Oracle	public_ip_ranges.json	curl -s https://docs.oracle.com/en-us/iaas/tools/public_ip_ranges.json

↑ Back to Contents

---

🔍 Google Dorks

Search engine queries crafted to discover exposed cloud assets, misconfigurations, and sensitive data across major cloud providers.

Azure Dorks

site:blob.core.windows.net "keyword"
site:"blob.core.windows.net" intext:"CONFIDENTIAL"
site:*.core.windows.net intext:"TLP:RED"
site:*.core.windows.net
site:*.core.windows.net +blob
site:*.core.windows.net +files -web -blob
site:*.core.windows.net -web
site:*.core.windows.net -web -blob -files
site:*.core.windows.net inurl:dsts.dsts
site:*.core.windows.net inurl:"term" -web
site:*.blob.core.windows.net ext:xls | ext:xlsx (login | password | username)
intext:connectionstring blob filetype:config
intext:accountkey windows.net filetype:xml
intext:storageaccountkey windows.net filetype:txt

💡 Azure SAS Tokens: Search for "bfqt&srt" to find exposed Shared Access Signature tokens.

AWS Dorks

site:"s3-external-1.amazonaws.com" intext:CONFIDENTIAL
site:"s3.amazonaws.com" intext:CONFIDENTIAL
site:"s3.dualstack.us-east-1.amazonaws.com" intext:CONFIDENTIAL
site:"s3-external-1.amazonaws.com" intext:"TOP SECRET"
site:"s3.amazonaws.com" intext:"tlp:red"
site:"s3.amazonaws.com" intext:"tlp:amber"
site:s3.amazonaws.com example
site:s3.amazonaws.com example.com
site:s3.amazonaws.com example-com
site:s3.amazonaws.com com.example
site:s3.amazonaws.com com-example
site:s3.amazonaws.com filetype:xls password
site:http://s3.amazonaws.com intitle:index.of.bucket
site:http://amazonaws.com inurl:".s3.amazonaws.com/"
s3 site:amazonaws.com filetype:log
site:http://trello.com "aws.amazon.com" "password"

Google Cloud Dorks

site:googleapis.com +commondatastorage
site:.firebaseio.com "COMPANY NAME"
inurl:bc.googleusercontent.com intitle:index of
site:storage.googleapis.com
site:console.cloud.google.com/storage/browser
site:console.cloud.google.com/storage/browser/_details
site:firebasestorage.googleapis.com

IBM Cloud Dorks

site:appdomain.cloud
site:appdomain.cloud +s3
site:*cloud-object-storage.appdomain.cloud
site:codeengine.appdomain.cloud
site:containers.appdomain.cloud
site:clb.appdomain.cloud
site:apiconnect.appdomain.cloud
site:cdn.appdomain.cloud
site:lb.appdomain.cloud
site:vmware.cloud.ibm.com
site:appid.cloud.ibm.com
site:ibmmarketingcloud.com

Miscellaneous Dorks

site:notion.site "keyword"
site:digitaloceanspaces.com "keyword"
site:*.cloudfront.net "keyword"
site:*.herokuapp.com "keyword"
site:*.netlify.app "keyword"
site:*.vercel.app "keyword"

↑ Back to Contents

---

🌐 Shodan Dorks

Shodan queries to discover cloud-hosted services, misconfigurations, and exposed infrastructure.

Filter Reference

Filter	Description
cloud.provider	Filter by cloud provider name (Amazon, Azure, Google, etc.)
cloud.region	Filter by cloud region identifier
cloud.service	Filter by specific cloud service name

Azure Queries

cloud.service:"azureCloud"
cloud.service:"azureCloud" country:GB,US http.title:"swagger" http.status:200
cloud.service:"azureCloud" http.status:200 country:GB,US -http.title:"Your Azure Function App is up and running." -http.title:"IIS Windows Server"
cloud.provider:"Azure" country:GB,US http.status:200 http.title:"Index of /" ssl:true
cloud.provider:"Azure" country:GB,US http.status:200 http.title:"Index of /"
cloud.provider:"Azure" hostname:"cloudapp.net" http.status:200,302
cloud.service:"AzureCloud" http.status:200 http.title:"api"

Amazon Queries

cloud.provider:"Amazon"
cloud.provider:"Amazon" http.status:200,302 http.title:"Index of /"
cloud.provider:"Amazon" http.status:200 "aws" "key"
cloud.provider:"Amazon" http.title:"Dashboard" http.status:200

Other Cloud Queries

cloud.provider:"Google" http.status:200
cloud.provider:"Oracle" http.status:200
site:vps-*.vps.ovh.net
cloud.provider:"DigitalOcean" http.status:200,302

↑ Back to Contents

---

🔐 Certificate Transparency

Certificate Transparency (CT) logs record every SSL/TLS certificate issued, making them a goldmine for discovering cloud-hosted assets and subdomains.

• crt.sh - Search CT logs by domain, organization, or certificate fingerprint. Use example.com to find all subdomains.
• Censys Certificates - Advanced certificate search with filters for cloud provider organizations.
• CertStream - Real-time certificate issuance monitoring to detect new cloud deployments as they go live.
• Facebook CT Monitor - Monitor certificates issued for specific domains.

Example CT queries for cloud assets:

# Find all subdomains via crt.sh
curl -s "https://crt.sh/?q=%.example.com&output=json" | jq -r '.[].name_value' | sort -u

# Search for cloud-specific certificate organizations
# On crt.sh: O=Amazon, O=Microsoft Corporation, O=Google Trust Services

↑ Back to Contents

---

📚 Web Cloud OSINT Resources

Online platforms and search engines for discovering exposed cloud assets and misconfigurations.

• GrayhatWarfare - Search engine for open S3 buckets, Azure blobs, and GCP storage across cloud providers.
• Google Custom Search for Cloud Storage - Custom Google search engine focused on cloud storage buckets and containers.
• FullHunt - Attack surface discovery platform with cloud asset identification capabilities.
• AADInternals OSINT - Azure Active Directory tenant information including subdomains and configuration data.
• SOCRadar BlueBleed - Discover misconfigured servers containing sensitive data across Azure, AWS, and GCP storage.
• Forager by TruffleSecurity - Explore exposed cloud and service keys/credentials found in public sources.
• AWS Eye - OSINT tool for investigating AWS configurations, identifying misconfigured S3 buckets, and uncovering cloud exposures.
• LeakIX - Search engine for exposed services and data leaks, with cloud infrastructure filters.
• PublicWWW - Source code search engine useful for finding websites connected to specific cloud services.

💡 Tip: Use the GrayhatWarfare API to programmatically search for exposed files:

curl "https://buckets.grayhatwarfare.com/api/v1/files/[KEYWORD]?access_token=[TOKEN]&extensions=docx,xlsx,pdf"

↑ Back to Contents

---

🛠️ Cloud OSINT Tools

Curated collection of tools for cloud reconnaissance, enumeration, and security assessment. Organized by scope and cloud provider.

Multi-Cloud Tools

• CloudEnum - Multi-cloud OSINT tool that enumerates public resources across AWS, Azure, and GCP simultaneously.
• CloudBrute - Cloud infrastructure discovery tool supporting multiple providers with concurrent enumeration.
• CloudFox - Automating situational awareness for cloud penetration testing across AWS, Azure, and GCP.
• CloudSploit - Cloud security posture management detecting misconfigurations across AWS, Azure, GCP, and Oracle.
• Cartography - Consolidates infrastructure assets and relationships across cloud providers into a graph database.
• Prowler - Open-source cloud security tool for AWS, Azure, GCP, and Kubernetes with 300+ checks.
• ScoutSuite - Multi-cloud security auditing tool for AWS, Azure, GCP, Alibaba Cloud, and Oracle Cloud configurations.
• Steampipe - Query cloud infrastructure using SQL across AWS, Azure, GCP, and 100+ other services.

AWS-Specific Tools

• AWSBucketDump - Quickly enumerate AWS S3 buckets and search for interesting files within discovered buckets.
• enumerate-iam - Enumerate IAM permissions for a given set of AWS credentials without logging.
• lazys3 - Brute-force AWS S3 bucket discovery using different permutations of common names.
• Pacu - AWS exploitation framework designed for offensive security testing of cloud environments.
• S3Scanner - Scan for open S3 buckets, dump their contents, and check bucket permissions.
• WeirdAAL - AWS Attack Library for testing and validating AWS security configurations.

Azure-Specific Tools

• AADInternals - PowerShell module for Azure AD and Office 365 administration, exploitation, and backdooring.
• MicroBurst - PowerShell toolkit for attacking Azure services including storage, key vaults, and more.
• ROADtools - Framework for Azure AD reconnaissance and exploration of directory data.
• Stormspotter - Azure AD and resource visualization tool for mapping attack paths.

GCP-Specific Tools

• GCPBucketBrute - Enumerate Google Storage buckets, determine access permissions, and check privilege escalation.
• gcp_enum - GCP enumeration tool for discovering and auditing Google Cloud resources.
• Hayat - GCP resource enumeration and analysis tool for security assessments.

Bucket and Storage Discovery

• bucket_finder - Tool to bruteforce for the existence of AWS S3 buckets and check permissions.
• BucketLoot - Automated tool to inspect exposed storage buckets for sensitive data across cloud providers.
• S3 Browser - Windows client for Amazon S3 and CloudFront, useful for browsing discovered bucket contents.

↑ Back to Contents

---

🌍 Domain and Subdomain Identification

Tools and services for discovering domains, subdomains, and cloud-associated hostnames.

• Censys Search - Search engine for hosts, domains, SSL certificates, and cloud-associated infrastructure.
• crt.sh - Find domains and subdomains through SSL certificate transparency logs.
• DNSDumpster - Domain research tool for DNS recon and discovering hosts related to a target domain.
• osint.sh DNS History - Historical DNS record lookup to track infrastructure changes over time.
• osint.sh Subdomain Finder - Subdomain enumeration through multiple data sources.
• SecurityTrails - Historical DNS data and domain intelligence with API access for automation.
• Spyse - Domain and subdomain enumeration with detailed DNS intelligence.
• Subfinder - Fast passive subdomain enumeration tool using multiple online sources.
• ZoomEye - Cyberspace search engine for discovering internet-connected devices and exposed services.

↑ Back to Contents

---

📝 Dork Generation Tools

Tools to help craft and optimize search engine dorks for cloud OSINT investigations.

• DorkSearch - Visual dork builder with pre-built templates for common cloud searches.
• DorkGPT - AI-powered Google dork generator using ChatGPT for custom query creation.
• Google Hacking Database (GHDB) - Extensive database of Google dork queries categorized by target type.

↑ Back to Contents

---

📦 Additional Resources

Complementary tools and platforms that enhance Cloud OSINT workflows.

• Dedigger - Find exposed files in Google Drive using search terms like AWS, Azure, GCP, etc.
• httpx - Fast HTTP toolkit useful for probing discovered cloud endpoints at scale.
• IntelX - Intelligence search engine indexing historical data from cloud services, paste sites, and data leaks.
• Nuclei - Vulnerability scanner with cloud-specific templates for detecting misconfigurations.

↑ Back to Contents

---

⚖️ Responsible Use

⚠️ Important: The resources in this repository are intended for authorized security testing, educational purposes, and legitimate research only.

Cloud OSINT techniques can reveal sensitive information about organizations' cloud infrastructure. Users of this repository are expected to:

• Obtain proper authorization before conducting any reconnaissance against cloud infrastructure you do not own.
• Follow applicable laws including the Computer Fraud and Abuse Act (CFAA), GDPR, and equivalent regulations in your jurisdiction.
• Practice responsible disclosure if you discover exposed data or misconfigurations belonging to third parties.
• Respect privacy and avoid accessing, downloading, or distributing sensitive data found through these techniques.

Neither the maintainers of this repository nor 7Way Security are responsible for any misuse of the information provided herein.

↑ Back to Contents

---

🤝 Contributing

Contributions are welcome and appreciated! Please read our Contributing Guidelines before submitting a PR.

Quick contribution guide:

1. Fork this repository
2. Add your resource following the format: - [Tool Name](https://url.com) - Brief description of what it does.
3. Ensure your addition is placed in the correct category
4. Submit a Pull Request

See CONTRIBUTING.md for detailed instructions.

---

_{Maintained with ❤️ by 7Way Security | 7waysecurity.com}