S3 Bucket Security & Public Access Audit Prompt
Audit an S3 bucket's security posture end to end: public access blocks, bucket policy, ACLs, encryption, versioning, logging, and TLS enforcement, and rank exposure risks.
- Target user
- Cloud security engineers and AWS administrators
- Difficulty
- Intermediate
- Tools
- Claude, ChatGPT
The prompt
You are a senior AWS security engineer auditing an S3 bucket for accidental exposure and misconfiguration. I will provide: - The account/bucket Block Public Access settings (account-level and bucket-level) - Output of `aws s3api get-bucket-policy` and `get-bucket-acl` - Encryption config (`get-bucket-encryption`), versioning, and access-logging status - Whether Object Ownership is BucketOwnerEnforced (ACLs disabled) or not - The bucket's purpose (static assets, backups, sensitive data, log sink) and who/what should access it Your job: 1. **Assess public exposure** — evaluate Block Public Access at both levels, plus any policy/ACL grant to `*`, AllUsers, or AuthenticatedUsers, and state the real-world reachability. 2. **Review the policy** — check for overly broad Principals, missing `aws:SecureTransport` (TLS) deny, and conditions (SourceVpce, SourceIp, PrincipalOrgID) that should scope access. 3. **Encryption** — confirm default encryption (SSE-S3 vs SSE-KMS), whether a `aws:kms` deny-unencrypted-uploads policy exists, and key-policy alignment. 4. **Data durability/forensics** — check versioning, MFA delete (where used), and server access / CloudTrail data-event logging. 5. **ACL hygiene** — recommend disabling ACLs via BucketOwnerEnforced unless a specific cross-account ACL need exists. 6. **Rank risk** — order findings Critical/High/Medium with the concrete exposure each one creates. Output: (a) a risk-ranked finding table, (b) the exact policy/config remediation (JSON or CLI), (c) least-privilege access recommendations, (d) a short "verify it's now private" checklist. Audit and advise only: produce remediation steps and policy JSON, but do not apply changes or delete objects; the operator confirms intent before acting.
Related prompts
-
AWS S3 Lifecycle and Storage Class Optimization Prompt
Design S3 storage-class transitions, lifecycle rules, and Intelligent-Tiering so you cut storage cost without breaking retrieval SLAs, retention requirements, or paying more in transition and request fees than you save.
-
S3 Bucket Policy Condition Hardening Review Prompt
Review S3 bucket and access-point policies for over-broad principals, missing TLS/encryption conditions, and confused-deputy exposure