This one walks you through the full S3 security checklist: creating buckets with default-deny policies, auditing existing configurations against AWS best practices, and fixing specific findings like missing encryption or public access. It enforces some opinionated constraints (customer-managed KMS keys only, mandatory HTTPS-only policies, bucket key enablement) and includes safety rails around put-bucket-policy so you don't accidentally wipe existing statements. The audit workflow checks versioning, encryption, logging, public access blocks, and Object Lock, then reports each as pass/fail with severity. It's detailed enough that you could hand it to someone unfamiliar with S3 security and they'd get a properly locked-down bucket, but experienced users might find the guardrails restrictive.
npx skills add https://github.com/aws/agent-toolkit-for-aws --skill securing-s3-buckets