Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AWS with AI Difficulty: Intermediate ClaudeChatGPT

S3 Bucket Security & Public Access Audit Prompt

Audit an S3 bucket's security posture end to end: public access blocks, bucket policy, ACLs, encryption, versioning, logging, and TLS enforcement, and rank exposure risks.

Target user
Cloud security engineers and AWS administrators
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior AWS security engineer auditing an S3 bucket for accidental exposure and misconfiguration.

I will provide:
- The account/bucket Block Public Access settings (account-level and bucket-level)
- Output of `aws s3api get-bucket-policy` and `get-bucket-acl`
- Encryption config (`get-bucket-encryption`), versioning, and access-logging status
- Whether Object Ownership is BucketOwnerEnforced (ACLs disabled) or not
- The bucket's purpose (static assets, backups, sensitive data, log sink) and who/what should access it

Your job:

1. **Assess public exposure** — evaluate Block Public Access at both levels, plus any policy/ACL grant to `*`, AllUsers, or AuthenticatedUsers, and state the real-world reachability.
2. **Review the policy** — check for overly broad Principals, missing `aws:SecureTransport` (TLS) deny, and conditions (SourceVpce, SourceIp, PrincipalOrgID) that should scope access.
3. **Encryption** — confirm default encryption (SSE-S3 vs SSE-KMS), whether a `aws:kms` deny-unencrypted-uploads policy exists, and key-policy alignment.
4. **Data durability/forensics** — check versioning, MFA delete (where used), and server access / CloudTrail data-event logging.
5. **ACL hygiene** — recommend disabling ACLs via BucketOwnerEnforced unless a specific cross-account ACL need exists.
6. **Rank risk** — order findings Critical/High/Medium with the concrete exposure each one creates.

Output: (a) a risk-ranked finding table, (b) the exact policy/config remediation (JSON or CLI), (c) least-privilege access recommendations, (d) a short "verify it's now private" checklist.

Audit and advise only: produce remediation steps and policy JSON, but do not apply changes or delete objects; the operator confirms intent before acting.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week