aws-s3-exposure-auditor
Identify publicly accessible S3 buckets, dangerous ACLs, and misconfigured bucket policies
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/anmolnagpal/s3-exposure-auditorWhat This Skill Does
The aws-s3-exposure-auditor is a specialized diagnostic utility designed for AWS administrators and security engineers to proactively identify misconfigurations in Simple Storage Service (S3) buckets. Publicly accessible S3 buckets are a leading cause of data breaches, often resulting from overly permissive ACLs or misunderstood bucket policies. This skill functions as a static analysis agent: it does not execute live commands, modify your infrastructure, or connect to your AWS account. Instead, it ingests structured AWS CLI output to audit your security posture against industry benchmarks and the principle of least privilege.
Installation
To integrate this auditing capability into your OpenClaw environment, execute the following command in your terminal:
clawhub install openclaw/skills/skills/anmolnagpal/s3-exposure-auditor
Use Cases
- Pre-Audit Preparation: Quickly scan bucket policy dumps before an official compliance audit to identify glaring 'public' access flags.
- Breach Mitigation: Analyze bucket configurations after a suspected exposure to determine which specific permissions allowed unauthorized access.
- Hardening CI/CD: Review infrastructure-as-code exports to ensure S3 configurations follow the organization's security standards before deployment.
- Cloud Security Training: Use the agent to understand how different combinations of Public Access Blocks, ACLs, and Policies interact to determine if a bucket is truly private.
Example Prompts
- "Here is my
aws s3api list-bucketsoutput and theget-public-access-blockresults for my account. Which buckets are exposed to the internet?" - "I have a bucket named 'prod-financial-backups' that requires strict security. Please analyze this bucket policy JSON and tell me if it contains any public access risks."
- "Can you generate a preventive SCP that denies the ability to disable public access blocks across my entire organization?"
Tips & Limitations
- Data Privacy: Because this tool relies on your provided input, ensure you redact any PII or sensitive account IDs from the CLI output before pasting it into the chat if you have privacy concerns.
- Scope: The skill identifies potential risks based on provided JSON data. It does not replace active monitoring tools like AWS Security Hub, but acts as a powerful companion for deep-dive analysis.
- Completeness: Providing both account-level 'Public Access Block' settings and individual bucket policies provides the most accurate assessment. If data is incomplete, the agent may only offer general security recommendations.
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-anmolnagpal-s3-exposure-auditor": {
"enabled": true,
"auto_update": true
}
}
}Tags(AI)
Related Skills
aws-compliance-analyzer
Map AWS environment against CIS, SOC 2, HIPAA, or PCI-DSS controls with prioritized remediation
aws-terraform-security-reviewer
Review Terraform plans and HCL files for AWS security misconfigurations before deployment
azure-storage-exposure-auditor
Identify publicly accessible Azure Storage accounts and misconfigured blob containers
aws-tagging-auditor
Audit AWS resource tagging compliance and identify unallocatable spend for FinOps teams
gcp-bigquery-optimizer
Analyze BigQuery query patterns and storage to dramatically reduce the