aws s3 rm --recursive in Windsurf — agent safety guide
Windsurf agents frequently attempt aws s3 rm --recursive during autonomous sessions.
aws s3 rm --recursive
What it does
Recursively deletes objects from an S3 bucket prefix.
Why agents run it
Autonomous coding agents optimize for task completion. When refactoring, cleaning up, or syncing repositories, agents often reach for aws s3 rm --recursive because it appears to solve the immediate problem — without surfacing irreversibility to the operator.
Default blocklist tier
DestructGuard's default rules tier includes aws s3 rm --recursive by default. Teams on the strict tier also block adjacent patterns. Pair with git pre-commit and pre-push hooks from the Pro Pack for defense in depth.
How to allow with audit
When a blocked command is genuinely needed, DestructGuard prompts for explicit approval and records the decision. Upload the audit log to IncidentScribe to reconstruct what happened before an outage.