DEV Community

Cover image for Building My S3 Security Scanner: A Solo Dev's Journey to Automate AWS Bucket Safety
Jude Wakim
Jude Wakim

Posted on

Building My S3 Security Scanner: A Solo Dev's Journey to Automate AWS Bucket Safety

#aws #python #automation #security

Introduction: Why I Built This (And What You’re Getting Into)

Hey folks, Jude here — a DevSecOps engineer who spends way too much time wrangling AWS resources and not enough coffee breaks. If you’ve ever spun up an S3 bucket in a rush during a late-night coding sprint, only to realize it’s wide open to the internet the next day, this one’s for you.

I created the S3 Security Scanner to tackle that exact headache: a simple, serverless tool that scans your AWS S3 buckets for common misconfigurations (like public access or wildcard policies) and optionally fixes them automatically.

The goal? Give solo devs and small teams like mine a “set it and forget it” way to keep buckets secure without constant manual audits. It’s not a full enterprise suite — it’s an MVP I built in a few evenings to boost my skills and maybe sell on the AWS Marketplace someday.

Tech stack:

  • Python with Boto3 for the Lambda core,
  • CloudFormation for deployment, and
  • EventBridge for daily runs.

Purpose: Peace of mind in the cloud, one bucket at a time.

Let’s dive into how it came together.

The Build Process: From Idea to Running Code

I started with the basics: What pains me most about S3? Public buckets leaking data, right? So, the scanner checks four key areas — Public Access Block settings, ACL grants, bucket policies for wildcards, and default encryption — flagging risks with a simple severity score (none, low, medium, high).

The heart is a Lambda function. I sketched it out in pseudocode first: Parse an event for config (like excluded buckets), scan via Boto3 calls (list_buckets, get_bucket_acl, etc.), and output JSON risks. Then, for remediation, an optional step applies fixes like put_bucket_acl(ACL=’private’) or enabling Public Access Block — all with safety nets, like dry-run previews.

GitHub logo Judewakim / s3-misconfig

S3 Security Scanner

Overview

The S3 Security Scanner is a serverless AWS Lambda function designed to detect and optionally remediate misconfigurations in Amazon S3 buckets within a single AWS account. This tool helps solo developers and small teams ensure their S3 buckets are secure by identifying issues such as public access, wildcard policies, and lack of encryption, providing actionable insights via JSON output.

Architecture Diagram

S3 Security Scanner Architecture

The architecture consists of the following components:

  • Lambda: The core function that scans S3 buckets and applies fixes if configured.
  • EventBridge (cron job): Triggers the Lambda function on a scheduled basis (e.g., daily).
  • S3 API call: The Lambda function interacts with the S3 service to check and update bucket configurations.
  • SES (alerting): Sends email notifications based on the scan results (to be implemented in future versions).

Features

  • Scans all S3 buckets in the account for misconfigurations.
  • Detects
    • Disabled Public Access Block…
View on GitHub

Deployment was straightforward: Zipped the code, uploaded to my S3 bucket, and wrapped it in a CloudFormation template. Users deploy the stack, pick a mode (scanning only or auto-remediation), and EventBridge kicks it off daily. Total time? About a 5 hours of evenings, thanks to Claude Code for code gen and local testing with Grok.

Obstacles: The Bumps That Made It Better

Nothing’s smooth — first, I hit a OperationNotPageableError trying to paginate list_buckets (spoiler: S3 doesn’t need it; one call gets everything). Fixed by ditching the paginator. Permissions were of course an issue: AccessDenied on encryption checks until I added s3:GetEncryptionConfiguration to the IAM role. And exclusions? My test event had a string instead of a list — classic JSON gotcha. Each snag taught me to test locally first, then deploy iteratively.

Wrapping Up: What’s Next?

This project’s my love letter to secure-by-default cloud work — simple, effective, and fun to build. If you’re digging this, check out my next pieces: one on nailing the scanning logic, another on safe automation, and the final on CloudFormation magic.

--

Follow along on Medium or Dev.to for more DevSecOps adventures. What’s your biggest S3 headache? Drop a comment — let’s chat!

I regularly share hands-on cloud builds, automation tricks, and AWS-focused deep dives across the web:

  • 🔗 LinkedIn — for cloud content, networking, and consulting
  • 📖 Medium — where this and other walkthroughs live
  • 👨‍💻 GitHub— for open-source tools and infra templates
  • 🖥️ Dev.to — cross-posts and project write-ups

If you want me to help write the Terraform files or the user data script for your article too, just say the word!

Top comments (0)