HEXL
Catalog/security-s3-policy

Security

S3 bucket-policy public-exposure analyzer API

Analyzes a PROVIDED S3 bucket policy JSON (and optional canned ACL) for public exposure: walks each Allow Statement for public principals ('*' / 'arn:aws:iam::*:root'), public write/delete, wildcard s3:* actions, bucket-policy/ACL self-modification, missing aws:SecureTransport, and dangerous ACLs (public-read-write), returning findings + severity + remediation and a 0-100 exposure-resistance score; no live access. Answers 'Is this S3 bucket public?','Does this policy allow anonymous writes?'.

Price$0.01per request
MethodPOST
Route/v1/security/s3-policy
StatusLive
MIME typeapplication/json
Rate limit120/minute
CacheNo cache
securitys3awsbucket-policyaclexposureiamscoring
API URLhttps://x402.hexl.dev/v1/security/s3-policy
Integration docs
Example request
{
  "policy": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": "*",
        "Action": [
          "s3:GetObject"
        ],
        "Resource": "arn:aws:s3:::data-bucket/*"
      }
    ]
  },
  "acl": "private"
}
Example response
{
  "score": 77,
  "publicExposure": true,
  "statementsAnalyzed": 1,
  "findingsCount": 2,
  "highestSeverity": "high",
  "findings": [
    {
      "id": "stmt-0-public-read",
      "severity": "high",
      "title": "Statement 0 grants public access with principal '*'",
      "remediation": "Replace '*' with a specific principal/account or add an aws:SourceIp / VPC condition.",
      "statement": 0
    },
    {
      "id": "stmt-0-no-tls",
      "severity": "low",
      "title": "Statement 0 does not require aws:SecureTransport",
      "remediation": "Add a Deny statement when aws:SecureTransport is false to force HTTPS.",
      "statement": 0
    }
  ],
  "risky": true
}
Input schema
{
  "type": "object",
  "required": [
    "policy"
  ],
  "properties": {
    "policy": {
      "type": "object",
      "additionalProperties": true,
      "description": "S3 bucket policy JSON with a Statement array.",
      "examples": [
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": "*",
              "Action": [
                "s3:GetObject"
              ],
              "Resource": "arn:aws:s3:::data-bucket/*"
            }
          ]
        }
      ]
    },
    "acl": {
      "type": "string",
      "description": "Optional canned ACL.",
      "examples": [
        "private",
        "public-read",
        "public-read-write"
      ]
    }
  }
}
Output schema
{
  "type": "object",
  "additionalProperties": true
}