Cloud environments move fast — and so do their risks. Misconfigurations, forgotten keys, and open resources can creep in without anyone noticing. That’s why security automation is no longer a luxury; it’s a necessity.
In this post, we’ll explore five everyday security tasks you can automate in AWS using Boto3. The Python SDK for AWS. With just a few lines of code, you can catch misconfigurations early, enforce policies automatically, and sleep a little better at night.
1. Detect Public S3 Buckets
Publicly accessible S3 buckets are one of the most common (and costly) security mistakes in the cloud. Even one exposed bucket can leak sensitive data, API keys, or backups. The problem often isn’t the initial configuration. It’s that people forget to restrict access later.
This automation quickly checks all S3 buckets in your account and flags those that are public:
import boto3
s3 = boto3.client('s3')
buckets = s3.list_buckets()['Buckets']
for bucket in buckets:
name = bucket['Name']
acl = s3.get_bucket_acl(Bucket=name)
for grant in acl['Grants']:
grantee = grant.get('Grantee', {})
if grantee.get('URI') == 'http://acs.amazonaws.com/groups/global/AllUsers':
print(f"⚠️ Bucket {name} is public! Consider restricting access.")Automation idea: Schedule this script as a Lambda function that runs daily and sends alerts via SNS or Slack whenever it finds public buckets.
2. Enforce IAM MFA for All Users
MFA (Multi-Factor Authentication) is a simple yet powerful control that drastically reduces account compromise risk. Unfortunately, enforcing it consistently across teams can be tricky, especially when multiple IAM users exist.
This short script checks all IAM users and flags those who haven’t enabled MFA:
import boto3
iam = boto3.client('iam')
users = iam.list_users()['Users']
for user in users:
mfa = iam.list_mfa_devices(UserName=user['UserName'])
if len(mfa['MFADevices']) == 0:
print(f"🚨 User {user['UserName']} does not have MFA enabled.")
Automation idea: Trigger this check via CloudWatch Events and automatically disable IAM keys for non-compliant users after multiple warnings.
3. Find Open Security Groups
Overly permissive inbound rules like 0.0.0.0/0 are the network equivalent of leaving your front door unlocked. They’re convenient for testing but dangerous in production.
This automation scans your security groups for open inbound rules and flags them:
import boto3
ec2 = boto3.client('ec2')
sgs = ec2.describe_security_groups()['SecurityGroups']
for sg in sgs:
for rule in sg.get('IpPermissions', []):
for ip_range in rule.get('IpRanges', []):
if ip_range['CidrIp'] == '0.0.0.0/0':
print(f"⚠️ Security Group {sg['GroupName']} allows open access!")
Automation idea: You can even auto-revoke these rules using revoke_security_group_ingress() after approval.
4. Check for Unencrypted EBS Volumes
Unencrypted EBS volumes are a silent compliance killer. It’s easy to miss enabling encryption when spinning up new EC2 instances manually or through scripts. Over time, these small gaps can turn into audit findings.
This automation scans all EBS volumes and reports those that aren’t encrypted:
import boto3
ec2 = boto3.client('ec2')
volumes = ec2.describe_volumes()['Volumes']
for v in volumes:
if not v['Encrypted']:
print(f"🔒 Volume {v['VolumeId']} is not encrypted!")Automation idea: Extend this script to automatically snapshot and re-create volumes with encryption enabled.
5. Rotate Access Keys Automatically
Access keys are like house keys. The longer you keep the same one, the higher the chance someone else might have a copy. Regular key rotation is a best practice but often forgotten.
This script identifies IAM keys older than 90 days:
import boto3
import datetime
iam = boto3.client('iam')
users = iam.list_users()['Users']
for user in users:
keys = iam.list_access_keys(UserName=user['UserName'])['AccessKeyMetadata']
for key in keys:
age = (datetime.datetime.now(datetime.timezone.utc) - key['CreateDate']).days
if age > 90:
print(f"🕒 Access key for {user['UserName']} is {age} days old. Consider rotation.")
Automation idea: Integrate with AWS Lambda to disable keys older than 90 days and send reminders via SES or Slack.
These five examples barely scratch the surface of what’s possible with Boto3. With some creativity, you can:
- Automatically remediate compliance drifts
- Enforce guardrails at scale
- Integrate automation into CI/CD pipelines
Automation isn’t just about convenience. It’s about building resilient, self-healing cloud environments that stay secure even when humans forget.
Drop your ideas or scripts in the comments. I’d love to hear how others are using automation to make AWS safer.
