explainx.ainewsletter3.4k
auditing-aws-s3-bucket-permissions

auditing-aws-s3-bucket-permissions

mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/auditing-aws-s3-bucket-permissions
0 commentsdiscussion
summary

Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs, misconfigured bucket policies, and missing encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege data access controls.

skill.md
name
auditing-aws-s3-bucket-permissions
description
'Systematically audit AWS S3 bucket permissions to identify publicly accessible buckets, overly permissive ACLs, misconfigured bucket policies, and missing encryption settings using AWS CLI, S3audit, and Prowler to enforce least-privilege data access controls. '
domain
cybersecurity
subdomain
cloud-security
tags
- cloud-security - aws - s3 - bucket-permissions - data-protection - access-control
version
'1.0'
author
mahipal
license
Apache-2.0
nist_csf
- PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01

Auditing AWS S3 Bucket Permissions

When to Use

  • When conducting a security assessment of AWS environments to identify publicly exposed data
  • When onboarding a new AWS account and establishing a security baseline for storage resources
  • When responding to an alert about potential S3 data exposure from AWS Trusted Advisor or Security Hub
  • When compliance frameworks (SOC 2, PCI DSS, HIPAA) require periodic review of data access controls
  • When a breach or credential compromise necessitates immediate review of all accessible S3 resources

Do not use for auditing non-AWS object storage (use provider-specific tools), for real-time monitoring (use S3 Event Notifications with Lambda), or for auditing S3 access patterns (use S3 Access Analyzer or CloudTrail S3 data events).

Prerequisites

  • AWS CLI v2 configured with credentials that have s3:GetBucketPolicy, s3:GetBucketAcl, s3:GetBucketPublicAccessBlock, s3:GetEncryptionConfiguration, and s3:ListAllMyBuckets permissions
  • Prowler installed (pip install prowler) for automated CIS benchmark checks
  • S3audit or similar enumeration tool for quick public bucket detection
  • Access to AWS Organizations if auditing across multiple accounts
  • Python 3.8+ with boto3 for custom audit scripts

Workflow

Step 1: Enumerate All S3 Buckets and Account-Level Block Public Access

Check the account-level S3 Block Public Access settings first, then list all buckets with their regions.

# Check account-level S3 Block Public Access settings
aws s3control get-public-access-block \
  --account-id $(aws sts get-caller-identity --query Account --output text) \
  --output json

# List all buckets with creation dates
aws s3api list-buckets \
  --query 'Buckets[*].[Name,CreationDate]' \
  --output table

# Get bucket regions for each bucket
for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do
  region=$(aws s3api get-bucket-location --bucket "$bucket" --query 'LocationConstraint' --output text)
  echo "$bucket -> ${region:-us-east-1}"
done

Step 2: Check Each Bucket's Public Access Block and ACL Configuration

Iterate through all buckets to evaluate their individual public access blocks and ACL grants.

# Check per-bucket Block Public Access settings
for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do
  echo "=== $bucket ==="
  aws s3api get-public-access-block --bucket "$bucket" 2>/dev/null || echo "  No Block Public Access configured"

  # Check ACL for public grants
  aws s3api get-bucket-acl --bucket "$bucket" \
    --query 'Grants[?Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers` || Grantee.URI==`http://acs.amazonaws.com/groups/global/AuthenticatedUsers`]' \
    --output json
done

Step 3: Analyze Bucket Policies for Overly Permissive Access

Review bucket policies for wildcard principals, missing conditions, and statements that allow broad access.

# Extract and analyze bucket policies
for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do
  policy=$(aws s3api get-bucket-policy --bucket "$bucket" --output text 2>/dev/null)
  if [ -n "$policy" ]; then
    echo "=== $bucket policy ==="
    echo "$policy" | python3 -c "
import json, sys
policy = json.load(sys.stdin)
for stmt in policy.get('Statement', []):
    principal = stmt.get('Principal', {})
    effect = stmt.get('Effect', '')
    if principal == '*' or principal == {'AWS': '*'}:
        print(f'  WARNING: {effect} with wildcard principal')
        print(f'  Actions: {stmt.get(\"Action\", \"\")}')
        print(f'  Condition: {stmt.get(\"Condition\", \"NONE\")}')
"
  fi
done

Step 4: Verify Encryption and Versioning Settings

Check that all buckets have server-side encryption enabled and versioning configured for data protection.

# Check encryption and versioning status for all buckets
for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do
  echo "=== $bucket ==="

  # Encryption configuration
  aws s3api get-bucket-encryption --bucket "$bucket" 2>/dev/null \
    && echo "  Encryption: ENABLED" \
    || echo "  Encryption: DISABLED"

  # Versioning status
  aws s3api get-bucket-versioning --bucket "$bucket" \
    --query 'Status' --output text

  # Logging status
  aws s3api get-bucket-logging --bucket "$bucket" \
    --query 'LoggingEnabled' --output text 2>/dev/null
done

Step 5: Run Prowler S3-Specific Checks

Execute Prowler's S3-focused checks aligned with CIS AWS Foundations Benchmark.

# Run Prowler S3-specific checks
prowler aws \
  --checks s3_bucket_public_access \
           s3_bucket_default_encryption \
           s3_bucket_policy_public_write_access \
           s3_bucket_server_access_logging_enabled \
           s3_bucket_versioning_enabled \
           s3_bucket_acl_prohibited \
  -M json-ocsf \
  -o ./prowler-s3-audit/

# View summary
prowler aws --checks s3 -M csv -o ./prowler-s3-audit/

Step 6: Use IAM Access Analyzer for S3 Public and Cross-Account Findings

Leverage IAM Access Analyzer to identify buckets shared externally or publicly.

# List Access Analyzer findings for S3
aws accessanalyzer list-findings \
  --analyzer-arn $(aws accessanalyzer list-analyzers --query 'analyzers[0].arn' --output text) \
  --filter '{"resourceType": {"eq": ["AWS::S3::Bucket"]}}' \
  --query 'findings[*].[resource,status,condition,principal]' \
  --output table

# Create an analyzer if one does not exist
aws accessanalyzer create-analyzer \
  --analyzer-name s3-access-audit \
  --type ACCOUNT

Step 7: Generate Audit Report and Remediate

Compile findings into an actionable report and apply remediation for critical issues.

# Quick remediation: Enable Block Public Access on a bucket
aws s3api put-public-access-block \
  --bucket TARGET_BUCKET \
  --public-access-block-configuration \
  'BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true'

# Enable default encryption with SSE-S3
aws s3api put-bucket-encryption \
  --bucket TARGET_BUCKET \
  --server-side-encryption-configuration \
  '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"alias/aws/s3"},"BucketKeyEnabled":true}]}'

# Enable versioning
aws s3api put-bucket-versioning \
  --bucket TARGET_BUCKET \
  --versioning-configuration Status=Enabled

Key Concepts

TermDefinition
S3 Block Public AccessAccount-level and bucket-level settings that override ACLs and policies to prevent public access regardless of individual resource configurations
Bucket PolicyJSON-based resource policy attached to a bucket that defines who can access the bucket and what actions they can perform
ACL (Access Control List)Legacy S3 access control mechanism granting permissions to AWS accounts or predefined groups like AllUsers or AuthenticatedUsers
IAM Access AnalyzerAWS service that analyzes resource policies to identify resources shared with external entities or the public
Server-Side EncryptionEncryption applied by S3 at the object level using SSE-S3, SSE-KMS, or SSE-C before writing data to disk
CIS AWS Foundations BenchmarkSecurity best practice standard from Center for Internet Security with specific controls for S3 bucket configuration

Tools & Systems

  • AWS CLI: Primary interface for querying S3 bucket configurations, policies, ACLs, and encryption settings
  • Prowler: Open-source security tool with 50+ S3-specific checks aligned to CIS, PCI DSS, and HIPAA controls
  • IAM Access Analyzer: AWS-native service for continuous monitoring of resource policies that grant external access
  • S3audit: Lightweight tool for quick enumeration of public S3 buckets across an account
  • ScoutSuite: Multi-cloud auditing tool that collects S3 configuration data and generates risk-scored HTML reports

Common Scenarios

Scenario: Identifying a Publicly Readable Bucket Containing Customer Data

Context: A security engineer receives a Trusted Advisor alert about a publicly accessible S3 bucket. The bucket was created by a development team for a demo and was never locked down.

Approach:

  1. Run aws s3api get-bucket-acl and find a grant to AllUsers with READ permission
  2. Check get-bucket-policy and discover a policy with Principal: "*" and s3:GetObject
  3. Confirm Block Public Access is not enabled at the bucket or account level
  4. Enumerate bucket contents to assess data sensitivity
  5. Immediately enable Block Public Access on the bucket
  6. Review CloudTrail S3 data events to determine if unauthorized access occurred
  7. Report the finding with timeline, data inventory, and remediation confirmation

Pitfalls: Enabling Block Public Access can break applications that intentionally serve content publicly (static websites). Always verify the bucket's intended use before applying restrictions. Check for CloudFront distributions or other services relying on the bucket's public access.

Output Format

S3 Bucket Permissions Audit Report
=====================================
Account: 123456789012 (Production)
Date: 2026-02-23
Auditor: Security Engineering Team
Total Buckets: 47

ACCOUNT-LEVEL SETTINGS:
  Block Public Access: ENABLED (all four settings)

CRITICAL FINDINGS:
[S3-001] Public Read Access via ACL
  Bucket: marketing-assets-prod
  Issue: AllUsers group granted READ permission via ACL
  Risk: Any internet user can list and download bucket contents
  Data Sensitivity: Contains customer-facing but non-sensitive marketing assets
  Remediation: Remove AllUsers ACL grant, enable Block Public Access

[S3-002] Wildcard Principal in Bucket Policy
  Bucket: data-exchange-partner
  Issue: Policy allows s3:GetObject with Principal "*" and no VPC/IP condition
  Risk: Intended for partner access but accessible to anyone with the bucket name
  Remediation: Add aws:SourceVpce or aws:SourceIp condition to restrict access

SUMMARY:
  Buckets with public access:           3 / 47
  Buckets without encryption:           5 / 47
  Buckets without versioning:          12 / 47
  Buckets without access logging:      18 / 47
  Buckets with overly broad policies:   7 / 47
how to use auditing-aws-s3-bucket-permissions

How to use auditing-aws-s3-bucket-permissions on Cursor

AI-first code editor with Composer

1

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

  • Cursor installed and configured on your development machine
  • Node.js version 16.0+ with npm package manager (verify with node --version)
  • Active project directory or workspace where you want to add auditing-aws-s3-bucket-permissions
2

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/auditing-aws-s3-bucket-permissions

The skills CLI fetches auditing-aws-s3-bucket-permissions from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

3

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?
│ ── Universal (.agents/skills) ── always included ────
│ • Amp
│ • Antigravity
│ • Cline
│ • Codex
│ ●Cursor(selected)
│ • Cursor
│ • Windsurf
4

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/auditing-aws-s3-bucket-permissions

Reload or restart Cursor to activate auditing-aws-s3-bucket-permissions. Access the skill through slash commands (e.g., /auditing-aws-s3-bucket-permissions) or your agent's skill management interface.

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

View source code on GitHubSkills CLI documentationLearn more about CursorWhat are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

Improve work quality by 30-40% with less effort

Implementation Guide

Prerequisites

  • Claude Desktop or compatible AI client with skill support
  • Clear understanding of task or problem to solve
  • Willingness to iterate and refine outputs

Time Estimate

15-45 minutes depending on use case complexity

Installation Steps

  1. 1.Install skill using provided installation command
  2. 2.Test with simple use case relevant to your work
  3. 3.Evaluate output quality and relevance
  4. 4.Iterate on prompts to improve results
  5. 5.Integrate into regular workflow if valuable

Common Pitfalls

  • Expecting perfect results without iteration
  • Not providing enough context in prompts
  • Using skill for tasks outside its intended scope
  • Accepting outputs without review and validation

Best Practices

✓ Do

  • +Start with clear, specific prompts
  • +Provide relevant context and constraints
  • +Review and refine all outputs before using
  • +Iterate to improve output quality
  • +Document successful prompt patterns

✗ Don't

  • Don't use without understanding skill limitations
  • Don't skip validation of outputs
  • Don't share sensitive information in prompts
  • Don't expect skill to replace human judgment

💡 Pro Tips

  • Be specific about desired format and style
  • Ask for multiple options to choose from
  • Request explanations to understand reasoning
  • Combine AI efficiency with human expertise

When to Use This

✓ Use When

Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.

✗ Avoid When

Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.

Learning Path

  1. 1Familiarize yourself with skill capabilities and limitations
  2. 2Start with low-risk, non-critical tasks
  3. 3Progress to more complex and valuable use cases
  4. 4Build expertise through regular use and experimentation

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.
general reviews

Ratings

4.662 reviews
  • Naina Jackson· Dec 28, 2024

    I recommend auditing-aws-s3-bucket-permissions for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.

  • Kwame Verma· Dec 12, 2024

    auditing-aws-s3-bucket-permissions reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Valentina Zhang· Dec 12, 2024

    Useful defaults in auditing-aws-s3-bucket-permissions — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

  • Zara Malhotra· Dec 8, 2024

    auditing-aws-s3-bucket-permissions has been reliable in day-to-day use. Documentation quality is above average for community skills.

  • William Choi· Dec 4, 2024

    Keeps context tight: auditing-aws-s3-bucket-permissions is the kind of skill you can hand to a new teammate without a long onboarding doc.

  • Kwame Anderson· Nov 27, 2024

    auditing-aws-s3-bucket-permissions fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Naina Patel· Nov 19, 2024

    auditing-aws-s3-bucket-permissions reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Michael Huang· Nov 15, 2024

    Keeps context tight: auditing-aws-s3-bucket-permissions is the kind of skill you can hand to a new teammate without a long onboarding doc.

  • Anika Lopez· Nov 3, 2024

    I recommend auditing-aws-s3-bucket-permissions for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.

  • William Robinson· Nov 3, 2024

    Registry listing for auditing-aws-s3-bucket-permissions matched our evaluation — installs cleanly and behaves as described in the markdown.

showing 1-10 of 62

1 / 7