AWS · S3 · account sandbox (123456789012) · region us-east-1 · last observed 2026-04-16 04:12 UTC
| Bucket ACL | public-read |
| Block public access | disabled |
| Default encryption | SSE-S3 (AES-256) |
| Versioning | Enabled |
| Object Lock | Disabled |
| Logging | Enabled → s3://acme-logs-bucket/ |
| Tags | env=sandbox owner=platform |
| Sev | Rule | Age |
|---|---|---|
| CRIT | aws.s3.public-acl | 1d |
| HIGH | aws.s3.block-public-access-off | 1d |
| MED | aws.s3.no-object-lock | 14d |
Each finding links back to the exact config fragment that triggered it and a remediation snippet.
3 inbound · 2 outbound (last scan)
| Direction | Relationship | Peer |
|---|---|---|
| inbound | writes-to | lambda:sandbox-ingest-fn |
| inbound | reads-from | ec2:i-0aa12 (sandbox) |
| inbound | reads-from | ec2:i-0bb34 (sandbox) |
| outbound | logged-to | s3:acme-logs-bucket |
| outbound | encrypted-with | kms:alias/aws/s3 (default) |
aws s3api put-public-access-block \
--bucket acme-sandbox-raw \
--public-access-block-configuration \
"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
# Terraform
resource "aws_s3_bucket_public_access_block" "acme_sandbox_raw" {
bucket = aws_s3_bucket.acme_sandbox_raw.id
block_public_acls = true
ignore_public_acls = true
block_public_policy = true
restrict_public_buckets = true
}
After remediation, re-run the AWS connector sync. the finding will close automatically within 60 seconds.