How do we prevent someone from accidentally making an S3 bucket public?
Block Public Access is on by default for new buckets since 2018, but old buckets and account overrides still exist. Enforce it at account level and you prevent 99 percent of incidents.
Try this first
- 1Enable S3 Block Public Access at account level, all four settings on. That overrides any bucket policy or ACL that says otherwise.
- 2Run AWS Config rules s3-bucket-public-read-prohibited and s3-bucket-public-write-prohibited as continuous checks.
- 3Set S3 Object Ownership to Bucket Owner Enforced. That disables ACLs entirely, so only IAM or bucket policy grants access.
- 4For buckets that do need to be public (static website, downloads), put CloudFront in front with Origin Access Control. Bucket stays private.
- 5On Azure this is Storage Account Public Access disabled, on GCP it's Public Access Prevention. Turn both on at org level.
When to bring us in
If you have hundreds of buckets and don't know what's in them, a Macie scan plus a short review is worth it before locking down hard.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.