# Run a Security Posture Audit on Your IONOS CLOUD Object Storage Buckets
## Overview
This tutorial shows how to use the space.vars.ionos\_cloud MCP Server together with Claude Desktop to run a security audit across all your [IONOS CLOUD Object Storage](https://docs.ionos.com/cloud/backup-and-storage/ionos-object-storage) buckets in a single conversation. The AI assistant probes six security dimensions on every bucket and produces a CISO-ready HTML dashboard that summarizes findings, assigns a posture score, and lists remediation actions, without writing scripts.
Auditing three buckets across six dimensions takes under two minutes. The same workflow scales to dozens of buckets with the same prompt.
```mermaid
flowchart LR
CD["Claude Desktop\nAI assistant"]
MCP["IONOS CLOUD\nMCP Server\nlocal binary"]
API["IONOS CLOUD APIs\nObject Storage management\nS3-compatible endpoint"]
HTML["HTML dashboard\nposture score\nfindings + remediation"]
CD <-->|"MCP / JSON-RPC"| MCP
MCP <-->|"HTTPS"| API
CD -->|"artifact"| HTML
```
The six security dimensions audited per bucket are:
| Dimension | Tool called | Finding if absent |
| --------------------------- | ----------------------------------------------- | --------------------------------------------------------------------------------------------- |
| Public access block | `get_object_storage_bucket_public_access_block` | No block configured |
| Bucket policy public status | `get_object_storage_bucket_policy_status` | Policy public status unknown |
| Server-side encryption | `get_object_storage_bucket_encryption` | Encryption not configured |
| Versioning | `get_object_storage_bucket_versioning` | Versioning disabled |
| Object Lock | `get_object_storage_bucket_lock_configuration` | Lock not configured. It cannot be enabled on existing buckets; it requires bucket recreation. |
| Lifecycle rules | `get_object_storage_bucket_lifecycle` | No lifecycle rules |
{% hint style="info" %}
**Note:** The MCP Server is read-only. It cannot change any bucket configuration. This makes it safe to run against production buckets and meet compliance requirements such as PCI-DSS and SOC 2 that mandate non-destructive audits.
{% endhint %}
{% hint style="info" %}
**Note:** The Object Storage API returns `HTTP 404` when a security control is not configured. For example, when no encryption policy has been set. It is the correct S3 API semantics for "this control is absent." You will see 404 responses throughout the audit. They indicate controls that are not configured, not errors.
{% endhint %}
## Target audience
This tutorial is for security engineers, DevOps engineers, compliance teams, and cloud administrators who manage space.vars.ionos\_cloud\_object\_storage buckets and want a repeatable process for identifying security configuration issues.
A basic familiarity with the following is helpful:
* Basic space.vars.ionos\_cloud Object Storage concepts (buckets, access keys).
* Claude Desktop or any MCP-compatible AI client.
## What you will learn
* How to configure the space.vars.ionos\_cloud MCP Server with Object Storage credentials.
* How to list and inspect Object Storage buckets using natural language prompts.
* How to run security probes across multiple buckets in a single conversation.
* How to generate an HTML security posture dashboard as an AI artifact.
* How to interpret 404 responses as "control not configured" security findings.
## Before you begin
Ensure you have the following:
| Requirement | Details |
| --------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| space.vars.ionos\_cloud account | At least one Object Storage bucket in your account. |
| API token | Token with read access to Object Storage. Generate one in the [DCD](https://dcd.ionos.com/) under **Management** > **Token Management**. |
| Object Storage credentials | S3 access key and secret key. Generate in the DCD under **Object Storage** > **Access Keys**. Both are required; the API token covers bucket listing and location, while the S3 credentials are required for all six security probes. |
| MCP Server binary | Download the latest release for your platform from [ionoscloud-mcp releases on GitHub](https://github.com/ionos-cloud/ionoscloud-mcp/releases) and place it at `/usr/local/bin/ionoscloud-mcp` (macOS/Linux) or `C:\bin\ionoscloud-mcp.exe` (Windows). |
| Claude Desktop | Installed from [claude.ai/download](https://claude.ai/download). |
## Cost considerations
The tutorial uses existing Object Storage buckets in your account. The audit makes read-only API calls only, and it does not create resources or write data. No additional charges apply beyond your standard Object Storage request and storage fees.
{% hint style="info" %}
**Note:** Command examples in this tutorial use macOS/Linux paths and `chmod`. On Windows, substitute the Windows path (`C:\bin\ionoscloud-mcp.exe`) and use **Properties** > **Security** to restrict file permissions instead of `chmod`.
{% endhint %}
## Procedure
{% stepper %}
{% step %}
### Configure the MCP Server with Object Storage credentials
Open the Claude Desktop configuration file:
* **macOS:** `~/Library/Application Support/Claude/claude_desktop_config.json`
* **Windows:** `%APPDATA%\Claude\claude_desktop_config.json`
Add the following entry to the `mcpServers` object:
```json
{
"mcpServers": {
"ionoscloud": {
"command": "/usr/local/bin/ionoscloud-mcp",
"env": {
"IONOS_TOKEN": "your-api-token",
"IONOS_S3_ACCESS_KEY": "your-s3-access-key",
"IONOS_S3_SECRET_KEY": "your-s3-secret-key"
}
}
}
}
```
Replace `your-api-token`, `your-s3-access-key`, and `your-s3-secret-key` with your credentials. On Windows, change `command` to the Windows path: `C:\bin\ionoscloud-mcp.exe`. By default, the MCP server registers all tools at startup, so the Object Storage security probe tools are immediately available without any additional configuration.
{% hint style="warning" %}
**Warning:** Keep credentials secure. Never commit this file to version control.
* **macOS/Linux:** Restrict file permissions: `chmod 600 ~/Library/Application\ Support/Claude/claude_desktop_config.json`
* **Windows:** Right-click the file, select **Properties** > **Security**, and restrict access to your user account only.
{% endhint %}
Quit and reopen Claude Desktop. A hammer icon in the input bar confirms the MCP Server is connected.
{% endstep %}
{% step %}
### Verify the connection
In a new Claude Desktop conversation, enter:
> List all my IONOS CLOUD Object Storage buckets. For each one, show the name, creation date, and region.
Claude calls `list_object_storage_buckets` and `get_object_storage_bucket_location` for each bucket and returns a table similar to:
| Bucket | Created | Region |
| ---------------- | ---------- | -------------------------- |
| my-backup-bucket | 2025-07-23 | `eu-central-3` (Berlin) |
| my-app-assets | 2025-11-10 | `eu-central-1` (Frankfurt) |
| my-logs | 2026-01-12 | `eu-central-3` (Berlin) |
{% hint style="success" %}
**Result:** A table of your buckets with regions. If you see a 403 error instead, verify that `IONOS_S3_ACCESS_KEY` and `IONOS_S3_SECRET_KEY` are set correctly in your configuration.
{% endhint %}
{% hint style="info" %}
**Note:** The bucket location tool returns the S3 endpoint region code (example: `eu-central-3`). The MCP Server maps these to the display names shown above.
{% endhint %}
{% endstep %}
{% step %}
### Run the security probes
Enter the following prompt to run all six security probes across every bucket:
> Run a full security posture check on all my Object Storage buckets. For each bucket, check: (1) public access block configuration, (2) bucket policy status, (3) server-side encryption, (4) versioning, (5) Object Lock configuration, and (6) lifecycle rules. Produce a summary table with a pass or fail status for each check per bucket.
Claude makes up to 18 tool calls in a single conversation (6 probes × 3 buckets in this example) and returns a findings table:
| Bucket | Public access block | Policy public | Encryption | Versioning | Object Lock | Lifecycle |
| ---------------- | ------------------- | ------------- | ---------------- | ---------- | ---------------- | ---------- |
| my-backup-bucket | ❌ Not configured | ✅ Not public | ❌ Not configured | ❌ Disabled | ❌ Not configured | ❌ No rules |
| my-app-assets | ❌ Not configured | ✅ Not public | ❌ Not configured | ❌ Disabled | ❌ Not configured | ❌ No rules |
| my-logs | ❌ Not configured | ✅ Not public | ❌ Not configured | ❌ Disabled | ❌ Not configured | ❌ No rules |
{% hint style="success" %}
**Result:** Each probe returns either configuration data (pass) or a 404 (finding). Zero errors mean the tools are working correctly; 404 responses indicate controls that are not configured, not failures.
{% endhint %}
{% endstep %}
{% step %}
### Generate the security posture dashboard
Enter the following prompt to produce a CISO-ready HTML artifact:
> Using the security findings from the previous step, create a polished HTML security posture dashboard. Include: an overall posture score out of 100, a per-bucket findings matrix with color-coded pass or fail indicators, a prioritized remediation checklist with the highest-risk items first, and an executive summary suitable for a CISO audience. Use a dark theme.
Claude generates the dashboard as an HTML artifact. Select the artifact panel to preview it in the conversation.
The dashboard includes a posture score ring, a per-bucket findings matrix, a prioritized remediation checklist, and a CISO executive summary. Here is an example of the output:
Open example dashboard (HTML)
{% endstep %}
{% step %}
### Export the dashboard
To share the dashboard outside Claude Desktop:
1. Select the artifact panel in the conversation.
2. Select **Copy** to copy the HTML to your clipboard.
3. Paste into a new file and save as `security-audit-report.html`.
4. Open in a browser or attach to a ticket or email.
Alternatively, ask Claude to save it directly if you have a file-write MCP server configured alongside the space.vars.ionos\_cloud MCP Server.
{% endstep %}
{% endstepper %}
## Final result
After completing the procedure, you have:
* A complete inventory of all your Object Storage buckets with their regions.
* A per-bucket security findings matrix across six dimensions.
* A scored HTML dashboard ready to share with security or compliance teams.
* A prioritized remediation checklist.
The dashboard identifies which controls are absent without modifying any bucket; all findings reflect current configuration gaps that can be addressed through the DCD or the space.vars.ionos\_cloud API.
## Interpreting the findings
| Finding | Risk | Remediation |
| ---------------------------------- | ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Public access block not configured | High: default allows public access unless restricted by policy | Enable Block Public Access via the space.vars.ionos\_cloud Object Storage API. This feature is not available in the DCD. See [PutPublicAccessBlock](https://api.ionos.com/docs/object-storage-contract-owned-buckets/v2/#tag/PublicAccessBlock/operation/PutPublicAccessBlock) in the Object Storage API reference. |
| Encryption not configured | High for regulated data (PCI-DSS, HIPAA, SOC 2) | SSE-S3 encryption applies automatically to all objects uploaded via the DCD. If this probe returns a finding, confirm objects are uploaded through the DCD or using an SDK with SSE-S3 enabled. For customer-managed keys (SSE-C), use the API or SDK directly. |
| Versioning disabled | Medium: no recovery from accidental deletion | Enable versioning in the DCD: open the bucket, select **Bucket settings**, and enable **Versioning** under the **Data management** section. |
| Object Lock not configured | Medium for compliance buckets: **cannot be applied to existing buckets** | Enable Object Lock at bucket creation time. Existing unprotected buckets require data migration to a new bucket created with Object Lock enabled. |
| No lifecycle rules | Low: operational hygiene | Add lifecycle rules to expire or archive old objects and reduce storage costs. |
| Policy public status unknown | Informational | Verify no explicit public bucket policy is set. |
## Troubleshooting
| Symptom | Resolution |
| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Hammer icon not visible after restart | Verify the binary path in `claude_desktop_config.json` is correct. On macOS/Linux, confirm the binary is executable: `chmod +x /usr/local/bin/ionoscloud-mcp`. On Windows, confirm the `.exe` extension is included in the path and the file is not blocked; right-click the `.exe`, select **Properties**, and select **Unblock** if shown. |
| "No Object Storage tools available" | Two common causes: (1) you have set `IONOS_MCP_LOAD_MODE=lazy` — either remove it to fall back to eager (the default registers Object Storage tools at startup), or ask Claude to *"load the Object Storage tools"*. (2) `IONOS_S3_ACCESS_KEY` and `IONOS_S3_SECRET_KEY` are missing — Object Storage tools register at startup in eager mode but their probes return 401 without S3 credentials. |
| Probes return 403 | Verify `IONOS_S3_ACCESS_KEY` and `IONOS_S3_SECRET_KEY` are set correctly; all six security probe tools require S3 credentials in addition to `IONOS_TOKEN`. |
| Lifecycle probe hangs | Update to the latest MCP Server binary; a multi-region redirect loop affecting lifecycle calls was fixed in a recent release. |
| Empty bucket list | Confirm your API token has read access to Object Storage and that the `IONOS_TOKEN` value has not expired. |
## Conclusion
You have used the space.vars.ionos\_cloud MCP Server and Claude Desktop to run a security audit across your Object Storage buckets and generate a CISO-ready posture report; all through natural language prompts, without writing scripts.
## Next steps
Expand the audit across more services to build a cloud-wide security posture baseline:
* Audit certificates for expiry using [Certificate Manager prompts](https://docs.ionos.com/cloud/ai/mcp-server/use-cases/security-audit#certificate-manager--expiry-audit); flag anything expiring within 30 days.
* Add Cloud DNS zone checks to verify DNSSEC is enabled on all zones.
* Run the combined cross-product audit prompt from the [Security Audit with AI use case guide](https://docs.ionos.com/cloud/ai/mcp-server/use-cases/security-audit) to cover all six products in one session.
* Schedule recurring audits by running the same prompts in Claude Code with a project-scoped `.mcp.json`; no interactive setup required.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.ionos.com/cloud/tutorials/ai/mcp-server/object-storage-security-audit.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.