DEV Community

Cover image for Building My S3 Security Scanner: A Solo Dev's Journey to Automate AWS Bucket Safety
Jude Wakim
Jude Wakim

Posted on

Building My S3 Security Scanner: A Solo Dev's Journey to Automate AWS Bucket Safety

#aws #python #automation #security

Introduction: Why I Built This (And What You’re Getting Into)

Hey folks, Jude here — a DevSecOps engineer who spends way too much time wrangling AWS resources and not enough coffee breaks. If you’ve ever spun up an S3 bucket in a rush during a late-night coding sprint, only to realize it’s wide open to the internet the next day, this one’s for you.

I created the S3 Security Scanner to tackle that exact headache: a simple, serverless tool that scans your AWS S3 buckets for common misconfigurations (like public access or wildcard policies) and optionally fixes them automatically.

The goal? Give solo devs and small teams like mine a “set it and forget it” way to keep buckets secure without constant manual audits. It’s not a full enterprise suite — it’s an MVP I built in a few evenings to boost my skills and maybe sell on the AWS Marketplace someday.

Tech stack:

  • Python with Boto3 for the Lambda core,
  • CloudFormation for deployment, and
  • EventBridge for daily runs.

Purpose: Peace of mind in the cloud, one bucket at a time.

Let’s dive into how it came together.

The Build Process: From Idea to Running Code

I started with the basics: What pains me most about S3? Public buckets leaking data, right? So, the scanner checks four key areas — Public Access Block settings, ACL grants, bucket policies for wildcards, and default encryption — flagging risks with a simple severity score (none, low, medium, high).

The heart is a Lambda function. I sketched it out in pseudocode first: Parse an event for config (like excluded buckets), scan via Boto3 calls (list_buckets, get_bucket_acl, etc.), and output JSON risks. Then, for remediation, an optional step applies fixes like put_bucket_acl(ACL=’private’) or enabling Public Access Block — all with safety nets, like dry-run previews.

GitHub logo Judewakim / s3-misconfig

S3 Sentry: The Autonomous Data Security Officer

S3 Sentry is a high-fidelity, multi-tenant security orchestration platform designed to provide continuous oversight of AWS S3 storage environments. It acts as an automated "Data Security Officer," ensuring that organizational data remains private, encrypted, and compliant without manual intervention.

The Mission

In the modern cloud era, a single misconfigured S3 bucket can lead to catastrophic data exposure. S3 Sentry bridges the gap between complex AWS IAM policies and actionable security intelligence by providing a "zero-friction" onboarding experience and automated remediation scanning.

Core Architecture

S3 Sentry utilizes a Cross-Account Trust Handshake to scan client environments securely.

  • The Handshake: Uses a unique ExternalID protocol to prevent "Confused Deputy" attacks.

  • The Engine: Powered by an orchestrated Prowler CLI integration for industry-standard security checks.

  • The Single-Table Design: Leverages Amazon DynamoDB to manage thousands of tenants and millions of findings within a high-performance, scalable schema.

View on GitHub

Deployment was straightforward: Zipped the code, uploaded to my S3 bucket, and wrapped it in a CloudFormation template. Users deploy the stack, pick a mode (scanning only or auto-remediation), and EventBridge kicks it off daily. Total time? About a 5 hours of evenings, thanks to Claude Code for code gen and local testing with Grok.

Obstacles: The Bumps That Made It Better

Nothing’s smooth — first, I hit a OperationNotPageableError trying to paginate list_buckets (spoiler: S3 doesn’t need it; one call gets everything). Fixed by ditching the paginator. Permissions were of course an issue: AccessDenied on encryption checks until I added s3:GetEncryptionConfiguration to the IAM role. And exclusions? My test event had a string instead of a list — classic JSON gotcha. Each snag taught me to test locally first, then deploy iteratively.

Wrapping Up: What’s Next?

This project’s my love letter to secure-by-default cloud work — simple, effective, and fun to build. If you’re digging this, check out my next pieces: one on nailing the scanning logic, another on safe automation, and the final on CloudFormation magic.

--

Follow along on Medium or Dev.to for more DevSecOps adventures. What’s your biggest S3 headache? Drop a comment — let’s chat!

I regularly share hands-on cloud builds, automation tricks, and AWS-focused deep dives across the web:

  • 🔗 LinkedIn — for cloud content, networking, and consulting
  • 📖 Medium — where this and other walkthroughs live
  • 👨‍💻 GitHub— for open-source tools and infra templates
  • 🖥️ Dev.to — cross-posts and project write-ups

If you want me to help write the Terraform files or the user data script for your article too, just say the word!

Top comments (0)