<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Nikodemus Rechul</title>
    <description>The latest articles on DEV Community by Nikodemus Rechul (@nikodemus_rechul_eb50be9b).</description>
    <link>https://dev.to/nikodemus_rechul_eb50be9b</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4034770%2Ff3e44088-951f-4fd3-95b6-83e728aa82b3.jpeg</url>
      <title>DEV Community: Nikodemus Rechul</title>
      <link>https://dev.to/nikodemus_rechul_eb50be9b</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/nikodemus_rechul_eb50be9b"/>
    <language>en</language>
    <item>
      <title>Your AWS account is one misconfiguration away from being a public file server</title>
      <dc:creator>Nikodemus Rechul</dc:creator>
      <pubDate>Sat, 18 Jul 2026 08:58:14 +0000</pubDate>
      <link>https://dev.to/nikodemus_rechul_eb50be9b/your-aws-account-is-one-misconfiguration-away-from-being-a-public-file-server-3gg5</link>
      <guid>https://dev.to/nikodemus_rechul_eb50be9b/your-aws-account-is-one-misconfiguration-away-from-being-a-public-file-server-3gg5</guid>
      <description>&lt;p&gt;There's a particular kind of bad day that starts when someone tweets a screenshot of an S3 bucket that's been publicly readable for six months. Customer data, internal docs, backup files — everything that was supposed to be private, leaking out one unauthenticated GET request at a time. It's not the latest CVE. It's not a sophisticated attacker. It's a misconfigured bucket policy someone shipped in 2022 and forgot about.&lt;/p&gt;

&lt;p&gt;If you run a small SaaS product on AWS, this is the threat model that should worry you — more than zero-days, more than nation-states. The thing that gets you is the bucket you forget about.&lt;/p&gt;

&lt;p&gt;I've shipped those mistakes. I ran an S3-backed service for six years and accrued the IAM scar tissue. Then I built SentryHive — a free AWS misconfiguration scanner aimed at small teams without a security engineer. The free tier returns the top 10 findings for any AWS account. I'll walk through what a scan finds and how to fix it.&lt;/p&gt;

&lt;p&gt;What "misconfiguration" actually means&lt;br&gt;
Not exotic. Mostly one of five patterns:&lt;/p&gt;

&lt;p&gt;An S3 bucket that's somehow public. Through a bucket policy, an ACL, or an account-level setting that overrides block-public-access guards. Any of the three is enough.&lt;br&gt;
IAM users with stale access keys. Keys in plaintext config files, repos, CI logs. Rotating last &amp;gt;90 days.&lt;br&gt;
Security groups allowing SSH (22) or RDP (3389) from 0.0.0.0/0. The whole internet can guess your password ten times a minute.&lt;br&gt;
RDS or ElastiCache reachable from any IP, not just the VPC. Sometimes the right answer is "no public endpoint at all."&lt;br&gt;
Lambda or EC2 running with admin permissions. If they're compromised, the attacker owns the account.&lt;br&gt;
None of these are sophisticated vulnerabilities. They're "we meant to lock this down and never came back to it" situations. By year one on AWS, the average account has somewhere between 15 and 30 of them.&lt;/p&gt;

&lt;p&gt;Why this hits small teams hardest&lt;br&gt;
Fortune 500s have a security team whose whole job is to run Prowler or ScoutSuite every week and file tickets. Small teams have one developer handling deploy pipelines, billing, and customer support. They know they're supposed to audit IAM, but between chasing a Stripe webhook bug and a Postgres connection pool issue, it never happens.&lt;/p&gt;

&lt;p&gt;The conventional answer is "hire a security engineer" — $180k+ in market — or "use a consultant" — a $20k engagement that produces a 40-page PDF nobody reads.&lt;/p&gt;

&lt;p&gt;The answer I've settled on is a scanner that gives you the misconfigurations and the code to fix them. That's the differentiator: not "we found 47 findings," but "here's the IAM policy that fixes findings 12, 18, and 31, written in plain English, deployable in a PR."&lt;/p&gt;

&lt;p&gt;Running a scan against your own account&lt;br&gt;
Two prerequisites: an AWS account and ten minutes.&lt;/p&gt;

&lt;p&gt;Step 1 — Create a read-only IAM role. Don't give any scanner your permanent access keys. The portable, auditable pattern is a cross-account IAM role that trusts the scanner's AWS account — scanner assumes the role, reads what it needs, end of story. Two ways:&lt;/p&gt;

&lt;p&gt;Easy: Click the CloudFormation button on the scanner's setup page. AWS opens the stack wizard. Defaults are safe. Hit deploy.&lt;br&gt;
Manual: Paste a trust policy JSON into IAM. The pattern is standard AWS docs territory. Read-only. No * on iam:&lt;em&gt;. No s3:Get&lt;/em&gt; write paths. If the scanner doesn't need write access to scan, it doesn't get write access. Non-negotiable.&lt;br&gt;
Step 2 — Trigger the scan. Enter your account ID, click Scan. Roughly: list S3 buckets → check policies + ACLs + account-level Block Public Access. List IAM users → check key age. List security groups → 0.0.0.0/0 ingress on management ports. List RDS → PubliclyAccessible flag. Typical scan: 45 to 90 seconds. Faster, it's skipping checks. Slower, it's running too many.&lt;/p&gt;

&lt;p&gt;Step 3 — Read the report. The most common "Critical" finding on a small account is a publicly readable S3 bucket. Sometimes user-upload. Sometimes a terraform apply that applied a wildcard Principal: * to fix a CORS issue, and the CORS issue got fixed but the bucket policy didn't get tightened.&lt;/p&gt;

&lt;p&gt;The fix isn't "delete the bucket." It's a deny policy:&lt;/p&gt;

&lt;p&gt;{&lt;br&gt;
  "Version": "2012-10-17",&lt;br&gt;
  "Statement": [&lt;br&gt;
    {&lt;br&gt;
      "Sid": "DenyNonAccountAccess",&lt;br&gt;
      "Effect": "Deny",&lt;br&gt;
      "Principal": "&lt;em&gt;",&lt;br&gt;
      "Action": "s3:&lt;/em&gt;",&lt;br&gt;
      "Resource": [&lt;br&gt;
        "arn:aws:s3:::your-bucket-name",&lt;br&gt;
        "arn:aws:s3:::your-bucket-name/*"&lt;br&gt;
      ],&lt;br&gt;
      "Condition": {&lt;br&gt;
        "StringNotEquals": {&lt;br&gt;
          "aws:PrincipalAccount": "123456789012"&lt;br&gt;
        }&lt;br&gt;
      }&lt;br&gt;
    }&lt;br&gt;
  ]&lt;br&gt;
}&lt;br&gt;
Anyone inside your AWS account can hit the bucket over IAM. Anyone outside (including unauthenticated users) gets denied. This is the pattern most teams want but never quite get to. Same shape applies to almost every other Critical finding — the tool gives you the policy, you commit it, you move on.&lt;/p&gt;

&lt;p&gt;The same scan routinely flags: IAM credentials older than 90 days (rotate), Lambda functions on AdministratorAccess (scope down), RDS instances with PubliclyAccessible: true (flip to false and confirm app still reaches via VPC).&lt;/p&gt;

&lt;p&gt;What this isn't&lt;br&gt;
This is not runtime threat detection. It won't catch an attacker already inside your account. AWS-native GuardDuty handles that, costs almost nothing — turn it on in parallel.&lt;/p&gt;

&lt;p&gt;Not compliance either. SOC 2 / HIPAA / PCI frameworks have specific controls and audit trails you still manage. The scanner covers the technical controls auditors check; the formal program is a separate thing.&lt;/p&gt;

&lt;p&gt;What it is: a weekly sanity check. Same way you'd run npm audit, run a misconfiguration scan. The difference between a 30-finding report and a 250-finding report is mostly "did anyone look last quarter?"&lt;/p&gt;

&lt;p&gt;What to do this week&lt;br&gt;
If you've never run a scan against your AWS account:&lt;/p&gt;

&lt;p&gt;Pick a scanner — SentryHive, Prowler, ScoutSuite, or AWS Trusted Advisor for the low-hanging fruit.&lt;br&gt;
Scan.&lt;br&gt;
Read the report. Don't fix anything yet — just read.&lt;br&gt;
Pick the top three Critical findings.&lt;br&gt;
File three PRs, one per finding.&lt;br&gt;
Re-scan.&lt;br&gt;
Watch the count drop.&lt;br&gt;
If you've been on AWS a year and never done this, the report will have a number that surprises you. That's normal. The first scan is always the worst one. The second scan, when you've fixed what was easy, is where you see the real picture.&lt;/p&gt;

&lt;p&gt;The bucket that gets you is the one you forgot about. The whole job is to not forget.&lt;/p&gt;

</description>
      <category>aws</category>
      <category>cloud</category>
      <category>infrastructure</category>
      <category>security</category>
    </item>
  </channel>
</rss>
