DEV Community

Cover image for Building My S3 Security Scanner: A Solo Dev's Journey to Automate AWS Bucket Safety
Jude Wakim
Jude Wakim

Posted on

Building My S3 Security Scanner: A Solo Dev's Journey to Automate AWS Bucket Safety

#aws #python #automation #security

Introduction: Why I Built This (And What You’re Getting Into)

Hey folks, Jude here — a DevSecOps engineer who spends way too much time wrangling AWS resources and not enough coffee breaks. If you’ve ever spun up an S3 bucket in a rush during a late-night coding sprint, only to realize it’s wide open to the internet the next day, this one’s for you.

I created the S3 Security Scanner to tackle that exact headache: a simple, serverless tool that scans your AWS S3 buckets for common misconfigurations (like public access or wildcard policies) and optionally fixes them automatically.

The goal? Give solo devs and small teams like mine a “set it and forget it” way to keep buckets secure without constant manual audits. It’s not a full enterprise suite — it’s an MVP I built in a few evenings to boost my skills and maybe sell on the AWS Marketplace someday.

Tech stack:

  • Python with Boto3 for the Lambda core,
  • CloudFormation for deployment, and
  • EventBridge for daily runs.

Purpose: Peace of mind in the cloud, one bucket at a time.

Let’s dive into how it came together.

The Build Process: From Idea to Running Code

I started with the basics: What pains me most about S3? Public buckets leaking data, right? So, the scanner checks four key areas — Public Access Block settings, ACL grants, bucket policies for wildcards, and default encryption — flagging risks with a simple severity score (none, low, medium, high).

The heart is a Lambda function. I sketched it out in pseudocode first: Parse an event for config (like excluded buckets), scan via Boto3 calls (list_buckets, get_bucket_acl, etc.), and output JSON risks. Then, for remediation, an optional step applies fixes like put_bucket_acl(ACL=’private’) or enabling Public Access Block — all with safety nets, like dry-run previews.

GitHub logo Judewakim / s3-misconfig

🚀 WAKIMWORKS S3 SECURITY SCANNER

🧩 OVERVIEW

The WakimWorks S3 Security Scanner is a serverless AWS solution designed to automatically detect and remediate security misconfigurations in Amazon S3 buckets across AWS accounts.

This current release is the free version (v1.0), designed to demonstrate secure scanning, cross-account role assumption, and email reporting.

The scanner identifies issues such as public bucket access, missing encryption, unlogged access patterns, and improper versioning It can operate in two modes:

  • 🕵️‍♂️ Scan only (audit/report mode)

  • 🔧 Scan and auto-remediate (attempts to fix issues automatically)

All scans are executed using secure, cross-account STS role assumption and results are delivered via SES email with inline reporting and branding.

🏗 ARCHITECTURE OVERVIEW

☁ SELLER ACCOUNT

  • Hosts the scanning Lambda function, DynamoDB metadata, SES email sender, and EventBridge daily scheduler.

  • Handles all cross-account assume-role logic and email generation.

  • Receives scan requests from client accounts through SQS.

  • Uses CloudFormation Custom Resource…

View on GitHub

Deployment was straightforward: Zipped the code, uploaded to my S3 bucket, and wrapped it in a CloudFormation template. Users deploy the stack, pick a mode (scanning only or auto-remediation), and EventBridge kicks it off daily. Total time? About a 5 hours of evenings, thanks to Claude Code for code gen and local testing with Grok.

Obstacles: The Bumps That Made It Better

Nothing’s smooth — first, I hit a OperationNotPageableError trying to paginate list_buckets (spoiler: S3 doesn’t need it; one call gets everything). Fixed by ditching the paginator. Permissions were of course an issue: AccessDenied on encryption checks until I added s3:GetEncryptionConfiguration to the IAM role. And exclusions? My test event had a string instead of a list — classic JSON gotcha. Each snag taught me to test locally first, then deploy iteratively.

Wrapping Up: What’s Next?

This project’s my love letter to secure-by-default cloud work — simple, effective, and fun to build. If you’re digging this, check out my next pieces: one on nailing the scanning logic, another on safe automation, and the final on CloudFormation magic.

--

Follow along on Medium or Dev.to for more DevSecOps adventures. What’s your biggest S3 headache? Drop a comment — let’s chat!

I regularly share hands-on cloud builds, automation tricks, and AWS-focused deep dives across the web:

  • 🔗 LinkedIn — for cloud content, networking, and consulting
  • 📖 Medium — where this and other walkthroughs live
  • 👨‍💻 GitHub— for open-source tools and infra templates
  • 🖥️ Dev.to — cross-posts and project write-ups

If you want me to help write the Terraform files or the user data script for your article too, just say the word!

Top comments (0)