S3 misconfiguration is the #1 cloud breach vector. 18% of randomly-sampled S3 buckets I scanned had ListBucket public — meaning every object name, every customer file, every PII upload was enumerable by URL.
Find S3 buckets accidentally public, missing block-public-access, leaked CORS configs, and exposed object listings. — and bots are scraping for misconfigurations of this exact class continuously. The cost of a breach is your customer trust + (often) regulatory disclosure. The cost of an audit is $99.
I've shipped open-source security auditors for Supabase, PocketBase, Appwrite, Hasura, Firebase. Each is MIT-licensed. The AWS S3 Bucket auditor follows the same playbook: active probe, not metadata inference. Source on GitHub.
What credentials do you need? The minimum read-only set required to enumerate the misconfiguration class. Specifics depend on stack — for Stripe webhooks, your webhook endpoint URL + signing secret (read-only); for S3, an IAM key with s3:ListAllMyBuckets + s3:GetBucketPolicy; for GitHub Actions, a PAT with repo:read.
Will you keep the credentials? No. Used only for the audit run. Deleted from my machine after delivery. Rotate after if you want.
What if you find nothing? Money-back. I've never run this on a project that's been live more than 6 months and found zero issues, but if it happens to you, you don't pay.
I'd rather just use the open-source tool. Go ahead — https://github.com/Perufitlife/aws-s3-security. The $99 saves you the install + interpretation + writing the executive summary for your team.