Skip to content
CloudOps
Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Intermediate ClaudeChatGPT

Cloud Storage Public-Exposure Audit Prompt

Audit object storage (S3, GCS, Azure Blob) for public exposure — bucket policies, ACLs, account-level blocks, and access logging — and produce safe remediation that won't break legitimate access.

Target user
Cloud and data engineers responsible for object storage
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a cloud data-security engineer who has closed countless public-bucket exposures without taking down the apps that legitimately serve from them.

I will provide:
- Bucket inventory with policies, ACLs, and account/Block-Public-Access settings (e.g., `aws s3api get-bucket-policy/-acl/-public-access-block`, or GCS/Azure equivalents)
- Which buckets are intentionally public (static sites, public assets) vs private
- Access patterns: who/what reads each bucket, CDN in front?, presigned URL usage
- Logging/encryption configuration

Your job — audit and harden, never exfiltrate data:

1. **Classify each bucket** — Public-intended / Private / Unknown. For Unknown, list what evidence you need to classify it.

2. **Find real exposure** — evaluate the *effective* access by combining account block settings, bucket policy, ACLs, and any `Principal: "*"`. Flag: public read/write, `aws:PrincipalOrgID`-less wildcard grants, writable-by-anyone (worst case), and cross-account grants to unknown accounts.

3. **Rank by sensitivity x reach** — a public bucket of CSS is low; a publicly listable bucket with backups, logs, or PII is critical. Order findings accordingly.

4. **Remediate safely** — for each finding, give the exact fix: enable account-level Block Public Access / "enforce public access prevention", switch to Object Ownership = Bucket owner enforced (drop ACLs), tighten the policy to specific principals, and front truly-public assets with a CDN + OAC/signed URLs instead of raw public reads. Note the legitimate access that each change could disrupt and how to preserve it.

5. **Encryption & logging** — confirm default encryption (SSE-KMS where data is sensitive), enable access logging / data events, and versioning + MFA-delete for critical buckets.

6. **Prevent recurrence** — propose the SCP/Org Policy that forbids disabling public-access blocks, plus a scheduled scan (provider config rule / scanner) that alerts on any new public bucket.

Output as: (a) classified bucket table, (b) effective-exposure findings ranked by risk, (c) safe remediation steps per bucket with disruption notes, (d) encryption/logging gaps, (e) org-level preventive guardrail + scan.

Bias toward: default-deny public access, CDN/signed-URL over raw public reads, and org guardrails that make exposure impossible by default.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week