diff --git a/test/integration/targets/dnf/vars/main.yml b/test/integration/targets/dnf/vars/main.yml
index 3f7b43a7121..90b68562178 100644
--- a/test/integration/targets/dnf/vars/main.yml
+++ b/test/integration/targets/dnf/vars/main.yml
@@ -3,4 +3,4 @@ dnf_log_files:
     - /var/log/dnf.rpm.log
     - /var/log/dnf.librepo.log
 
-skip_broken_repo_baseurl: "https://ansible-ci-files.s3.amazonaws.com/test/integration/targets/dnf/skip-broken/RPMS/"
+skip_broken_repo_baseurl: "https://ci-files.testing.ansible.com/test/integration/targets/dnf/skip-broken/RPMS/"
diff --git a/test/sanity/code-smell/no-s3.json b/test/sanity/code-smell/no-s3.json
new file mode 100644
index 00000000000..5648429eb04
--- /dev/null
+++ b/test/sanity/code-smell/no-s3.json
@@ -0,0 +1,4 @@
+{
+    "text": true,
+    "output": "path-line-column-message"
+}
diff --git a/test/sanity/code-smell/no-s3.py b/test/sanity/code-smell/no-s3.py
new file mode 100644
index 00000000000..388e7744340
--- /dev/null
+++ b/test/sanity/code-smell/no-s3.py
@@ -0,0 +1,27 @@
+"""
+Disallow direct linking to S3 buckets.
+S3 buckets should be accessed through a CloudFront distribution.
+"""
+
+from __future__ import annotations
+
+import re
+import sys
+
+
+def main():
+    """Main entry point."""
+    for path in sys.argv[1:] or sys.stdin.read().splitlines():
+        with open(path, 'rb') as path_fd:
+            for line, b_text in enumerate(path_fd.readlines()):
+                try:
+                    text = b_text.decode()
+                except UnicodeDecodeError:
+                    continue
+
+                if match := re.search(r'(http.*?s3\..*?amazonaws\.com)', text):
+                    print(f'{path}:{line + 1}:{match.start(1) + 1}: use a CloudFront distribution instead of an S3 bucket: {match.group(1)}')
+
+
+if __name__ == '__main__':
+    main()