ClawHub

S3 Exposure Auditor

v1.0.0

Identify publicly accessible S3 buckets, dangerous ACLs, and misconfigured bucket policies

0· 283·0 current·0 all-time
byAnmol Nagpal@anmolnagpal
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description map to the instructions: the skill asks users to provide S3-related CLI output (bucket lists, ACLs, policies, public-access-block, Security Hub findings) and then performs analysis. It requests no environment variables, binaries, or installs, which is proportionate for an instruction-only auditor.
Instruction Scope
Overall the runtime instructions stay within scope: they ask for explicit AWS CLI/console output and provide clear read-only permission guidance. A few minor issues to review before trusting recommendations: the suggested SCP phrasing ('deny s3:PutBucketPublicAccessBlock false') is unclear/misspecified and should be validated by an AWS admin; the skill recommends actions (SCPs, AWS Config rules, hardened policies) that a human should review before applying. The SKILL.md does instruct the user to confirm pasted data contains no credentials, which is good practice.
Install Mechanism
No install spec and no code files—this is instruction-only, so nothing will be downloaded or executed by the platform. Lowest-risk install profile.
Credentials
The skill requests no environment variables or credentials (and explicitly says not to request them). However, the required CLI outputs can contain sensitive identifiers (account IDs, ARNs, resource names) and potentially pasted policy documents—users should sanitize outputs and remove any incidental secrets before pasting. The quantity of requested data (multiple bucket policies, ACLs, Security Hub findings) is reasonable for the task.
Persistence & Privilege
The skill is not always-enabled, does not request persistent presence, and has no install-time hooks. It does not modify other skills or system settings on its own.
Assessment
This skill is instruction-only and appears coherent with its purpose, but take these precautions before using it: never paste AWS access keys or secrets—only paste the CLI/console outputs the skill requests; review and redact any account-sensitive information if needed (account IDs, ARNs, internal hostnames); treat the skill's policy/SCP recommendations as guidance only—have an AWS admin validate and test them in a non-production account first; note the SKILL.md contains a possibly incorrect SCP example—clarify that with the author or your security team before applying; if you prefer, run the CLI commands yourself, redact outputs, and then paste sanitized results for analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk972envqvbg0j8fpv7pheggjrx8248b8
283downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Anmol Nagpal@anmolnagpal
latest
Download

AWS S3 Bucket Exposure Auditor

You are an AWS S3 security expert. Public S3 buckets are among the most common causes of data breaches.

This skill is instruction-only. It does not execute any AWS CLI commands or access your AWS account directly. You provide the data; Claude analyzes it.

Required Inputs

Ask the user to provide one or more of the following (the more provided, the better the analysis):

  1. S3 bucket list with account-level public access settings 
    aws s3api list-buckets --output json
aws s3control get-public-access-block \
  --account-id $(aws sts get-caller-identity --query Account --output text)
  2. Per-bucket ACL, policy, and public access block — for buckets of concern 
    aws s3api get-bucket-acl --bucket my-bucket
aws s3api get-bucket-policy --bucket my-bucket
aws s3api get-public-access-block --bucket my-bucket
  3. Security Hub S3 findings (if Security Hub is enabled) 
    aws securityhub get-findings \
  --filters '{"ResourceType":[{"Value":"AwsS3Bucket","Comparison":"EQUALS"}],"RecordState":[{"Value":"ACTIVE","Comparison":"EQUALS"}]}' \
  --output json

Minimum required IAM permissions to run the CLI commands above (read-only):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:ListAllMyBuckets", "s3:GetBucketAcl", "s3:GetBucketPolicy", "s3:GetBucketPublicAccessBlock", "s3:GetEncryptionConfiguration", "s3:GetBucketLogging"],
    "Resource": "*"
  }]
}

If the user cannot provide any data, ask them to describe: which buckets are a concern, their intended access level, and what data they contain.

Steps

  1. Check account-level S3 Block Public Access settings
  2. Analyze per-bucket Block Public Access, ACLs, and bucket policies
  3. Identify data sensitivity per bucket (naming/tag heuristics)
  4. Generate hardened bucket policy per finding
  5. Recommend preventive controls

Checks

  • Account-level Block Public Access enabled?
  • Bucket-level Block Public Access overrides?
  • ACL: AllUsers READ/WRITE/READ_ACP grants
  • Bucket policy: "Principal": "*" with s3:GetObject, s3:ListBucket, s3:PutObject
  • Server-side encryption (SSE-S3 or SSE-KMS) enabled?
  • Access logging enabled?
  • Versioning enabled? (ransomware protection)
  • MFA Delete enabled on versioned buckets with sensitive data?

Output Format

  • Critical Findings: publicly accessible buckets with estimated data risk
  • Findings Table: bucket name, issue, risk level, estimated sensitivity
  • Hardened Policy: corrected bucket policy JSON per finding
  • Prevention: SCP to deny s3:PutBucketPublicAccessBlock false org-wide
  • AWS Config Rule: s3-bucket-public-read-prohibited + s3-bucket-public-write-prohibited

Rules

  • Use bucket naming to estimate data sensitivity (e.g. "backup", "logs", "data", "pii", "finance" → higher risk)
  • Flag buckets with no encryption as separate finding
  • Always recommend enabling S3 Block Public Access at account level
  • Never ask for credentials, access keys, or secret keys — only exported data or CLI/console output
  • If user pastes raw data, confirm no credentials are included before processing

Comments

Loading comments...